MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2
SHA3-384 hash: 07b05fa79b2363005e44899fae0908b5041b6b207744213daea1806f9eed7445e700b5db3a72e2efc500d8e1b8e38c74
SHA1 hash: f4b4703a71bd1ae7ca4b1a94a8929bb640b66d72
MD5 hash: 1e5e4d837c446a5b2c8dfbcaf1417457
humanhash: eighteen-hotel-artist-robert
File name:payment advice.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'006'080 bytes
First seen:2023-08-03 07:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:rAzGFTyPX92M5DOZgewdoIUgXJMldVN1fAQjwUQ:r7FTyP9hDigegBGlr7fAm
Threatray 405 similar samples on MalwareBazaar
TLSH T10525BEF83110A7DEC627CABF89571C74991338664237D28A723F35989E5DAD38E109F2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment advice.exe
Verdict:
No threats detected
Analysis date:
2023-08-03 07:24:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5a1cbb6-3158-4346-ad03-0a1beb619fa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440014/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.28872.18611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64cb5435539838c2be5208d3/reports/fbffdabe-0824-4435-9fcb-9cdb8b4216d8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ec5f421-88ef-4c88-8eeb-9985b804ce39
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284913
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1284913 Sample: payment_advice.exe Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 7 payment_advice.exe 7 2->7         started        11 Wvvmjbm.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\Wvvmjbm.exe, PE32 7->33 dropped 35 C:\Users\user\...\Wvvmjbm.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmp62D.tmp, XML 7->37 dropped 39 C:\Users\user\...\payment_advice.exe.log, ASCII 7->39 dropped 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 May check the online IP address of the machine 7->59 69 3 other signatures 7->69 13 payment_advice.exe 1 47 7->13         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 20 Wvvmjbm.exe 11->20         started        23 schtasks.exe 11->23         started        25 Wvvmjbm.exe 11->25         started        signatures5 process6 dnsIp7 41 mail.toliptaba.com 108.167.158.119, 49698, 49700, 49701 UNIFIEDLAYER-AS-1US United States 13->41 43 showip.net 162.55.60.2, 49697, 49699, 80 ACPCA United States 13->43 27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        53 Tries to harvest and steal browser information (history, passwords, etc) 20->53 31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 08:53:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwc7yrgrjw3vpkmhglzghwaabjmaj76iy4t5wwt64qcss5kh7tba._file
Verdict:
malicious
Similar samples:
0c1b251249518e1b58f3dc0cc771bf74bbadcb46c6175f45f1a0fe4d7740ca95
DarkCloud
0f249132a60bf6e772fc500ac0fe11a564feae9e738f29c40424f88ff5ba623f
DarkCloud
178dfba1bc6c689b9f3170003e559431a5244f43b8b0639d37ed77446bd9ebca
DarkCloud
38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4
DarkCloud
3ddab0e4f018293bc930fb5a635c471074af3cce36801955d938d3eae8a5c737
DarkCloud
80c0c7648149fdb4b41f5abc6316de36da5c3133676d4c9d68e783ba70cb46c0
DarkCloud
e861fe12d7b0d6d722015418a078caa0684fc3a57da6cb52f2925b42c7719fca
DarkCloud
ec7d100b0dadc5c38ecb39309a02e826bd167ad25a28f4cf8b0d8c52aeca7018
DarkCloud
ee858a17d787e31279091138c83eea1ab9c48d04cd7ab79caf5a6f3e4d5f7ace
DarkCloud
fe612af3d7883a25ca19eca8440e32741aa66e69c80a7275a13bdd91023399c6
DarkCloud
+ 395 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230803-h3ttdsbh73/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
SH256 hash:
394123941edd8a70e9638019476bc767fdee3323a5b47e0284c167962c21d35c
MD5 hash:
f97de39d30281fb2b6fad6efade042b8
SHA1 hash:
b708cf12f323d5c98c042fb154b3850cd07b64f1
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
SH256 hash:
e875723fb627081ecf4885aad0218519e33e1eaea460a3965f8acbd70b1c041d
MD5 hash:
8dca5e45577a1c835f80cba6a985c045
SHA1 hash:
910d993b16f47aa559dd3ba0d3157977ccdc5843
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
SH256 hash:
b1fa05caeba8227661bd2b9d699fe8c4e227ff26838e93c6213b46a7a2a5fef8
MD5 hash:
89ee0aab911ddf0ab6bb03b3d50bdc9f
SHA1 hash:
0004af4e3a4394b260efd78fcce82ce127db8201
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
SH256 hash:
7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2
MD5 hash:
1e5e4d837c446a5b2c8dfbcaf1417457
SHA1 hash:
f4b4703a71bd1ae7ca4b1a94a8929bb640b66d72
Link:
https://www.unpac.me/results/4d82c36a-b84d-4959-b6f6-068cff082961/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d85fc44d14d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440014/

Comments