MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
SHA3-384 hash: 41705bd47ad7d340124ec0c658d60f2b1731f88aed383d8b0331a8aae7f87898161e5056347adcf71cc4e933726dbacf
SHA1 hash: e66ca4c8909b8c4a1e082c5dc612c961b1af925d
MD5 hash: 8eb7f43c1878993e493f6ae75b1e9977
humanhash: mississippi-music-six-arizona
File name:PURCHASE_ORDER_NO_D000504.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'905'664 bytes
First seen:2025-02-17 22:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f72f014a8f96ef95753b4961e95532a3 (3 x RemcosRAT, 2 x DarkCloud, 1 x DBatLoader)
ssdeep 49152:CWFuLZoC0CGIAOzi6UDSFJIayYgNpaz+s:CWFuLaQ7L85RYgSj
Threatray 16 similar samples on MalwareBazaar
TLSH T1A595CF31964040F2F062273ECA7697DD779D6E323B14A46A2AFCFE882D7D5C6B418172
TrID 89.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
7.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
1.4% (.EXE) Win64 Executable (generic) (10522/11/4)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 2836b28e8e92e465 (3 x DBatLoader, 2 x DarkCloud, 2 x VIPKeylogger)
Reporter TeamDreier
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
529
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE_ORDER_NO_D000504_1.7z
Verdict:
Malicious activity
Analysis date:
2025-02-17 22:32:56 UTC
Tags:
arch-exec delphi stealer telegram evasion
Link:
https://app.any.run/tasks/5ea8823b-06d6-4c2b-a626-31f6ca641400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Sinowal-9756760-0
Create hunting rule

Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b3b9eaa0fd713c335b83b8
Tags:
emotet shell blic sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi explorer fingerprint keylogger lolbin masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67b3b8e9633d7333628959d2/reports/f806de9b-ebf9-47bd-a3a5-8bb8980876ab/overview
Verdict:
Malicious
Labled as:
TrojanDownloader.ModiLoader
Link:
https://www.hybrid-analysis.com/sample/820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d2950f7-d2c8-4ddf-bb77-b04e06ec7b6c
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1617446
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected DBatLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617446 Sample: PURCHASE_ORDER_NO_D000504.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 40 showip.net 2->40 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected DarkCloud 2->48 50 7 other signatures 2->50 8 PURCHASE_ORDER_NO_D000504.exe 6 2->8         started        signatures3 process4 file5 34 C:\Windows \SysWOW64\svchost.pif, PE32+ 8->34 dropped 36 C:\Windows \SysWOW6436ETUTILS.dll, PE32+ 8->36 dropped 38 C:\Users\Public\Libraries\zfwxcjxL.pif, PE32 8->38 dropped 56 Drops PE files with a suspicious file extension 8->56 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 3 other signatures 8->62 12 zfwxcjxL.pif 15 8->12         started        16 cmd.exe 1 8->16         started        18 cmd.exe 3 8->18         started        signatures6 process7 dnsIp8 42 showip.net 162.55.60.2, 49704, 80 ACPCA United States 12->42 64 Detected unpacking (changes PE section rights) 12->64 66 Detected unpacking (overwrites its own PE header) 12->66 68 Tries to harvest and steal browser information (history, passwords, etc) 12->68 70 2 other signatures 12->70 20 WmiPrvSE.exe 12->20         started        22 extrac32.exe 1 16->22         started        26 conhost.exe 16->26         started        28 ndpha.pif 16->28         started        30 conhost.exe 18->30         started        signatures9 process10 file11 32 C:\Users\Public\ndpha.pif, PE32 22->32 dropped 52 Drops PE files to the user root directory 22->52 54 Drops PE files with a suspicious file extension 22->54 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f/
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 22:32:11 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qifbfwoumusfwr4wlwgyeeaucg2x7wygj2etekuex6na6vmzevhq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
113b0682050e0eae6a815e77389a637c64673ed582477ba34f966683bee79cee
DarkCloud
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
DarkCloud
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
DarkCloud
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
DarkCloud
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
DarkCloud
error
DarkCloud
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
DarkCloud
+ 6 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery spyware stealer trojan
Link:
https://tria.ge/reports/250217-2fzkxavqw4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Sinowal-9756760-0
YARA:
n/a
Link:
https://app.threat.zone/submission/2b6b0583-0a13-4d87-ac38-ee2a11df26c0
Unpacked files
SH256 hash:
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
MD5 hash:
8eb7f43c1878993e493f6ae75b1e9977
SHA1 hash:
e66ca4c8909b8c4a1e082c5dc612c961b1af925d
Link:
https://www.unpac.me/results/c60a79c7-3077-4ffb-9d20-ebb15817560f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::AppendMenuA
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard

Comments