MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05
SHA3-384 hash: 6cda357659fd4e1c491805421fc8c3ba271cdced978e9d60d83e70ec4518dccf1fcba1052c38eb1c77aed29d11788fa1
SHA1 hash: 24472f38948b2bc2e7fcce07d3ba6f68a78b06d1
MD5 hash: c1128956f3a5d97d01eb3a9a63fce28e
humanhash: failed-avocado-triple-pip
File name:PRE ALERT DOCUMENTS.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:927'232 bytes
First seen:2023-07-21 06:24:27 UTC
Last seen:2023-07-24 13:36:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:lMS6ln+flo/XciMvDlFonmnE3eNOLyS/H/g1EpBDi34fp2GYfpdS0/WliOVAy/Mn:lFTdCjEsKieONco6cYvS0/9OVAy/L
Threatray 443 similar samples on MalwareBazaar
TLSH T1261523AC7667801AD78B0FB15AA436B1522CCFE7F867D6536E07FB32D69D30AC284105
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
271
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRE ALERT DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2023-07-21 06:30:52 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/597daef1-385b-49ef-82c8-fd099e2fcb80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427310/
Detection(s):
Sanesecurity.Rogue.0hr.20230720-1735.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7013ac01-458b-4901-9217-3e70c02c3173
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277327
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277327 Sample: PRE_ALERT_DOCUMENTS.exe Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 71 4 other signatures 2->71 7 PRE_ALERT_DOCUMENTS.exe 7 2->7         started        11 custody.exe 2->11         started        13 pUGagPvAp.exe 5 2->13         started        15 custody.exe 2->15         started        process3 dnsIp4 51 C:\Users\user\AppData\Roaming\pUGagPvAp.exe, PE32 7->51 dropped 53 C:\Users\...\pUGagPvAp.exe:Zone.Identifier, ASCII 7->53 dropped 55 C:\Users\user\AppData\Local\...\tmpE96A.tmp, XML 7->55 dropped 57 C:\Users\user\...\PRE_ALERT_DOCUMENTS.exe.log, ASCII 7->57 dropped 73 May check the online IP address of the machine 7->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 7->75 77 Adds a directory exclusion to Windows Defender 7->77 18 PRE_ALERT_DOCUMENTS.exe 2 43 7->18         started        22 powershell.exe 21 7->22         started        33 2 other processes 7->33 79 Multi AV Scanner detection for dropped file 11->79 81 Machine Learning detection for dropped file 11->81 83 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 11->83 24 custody.exe 11->24         started        26 schtasks.exe 11->26         started        85 Writes or reads registry keys via WMI 13->85 28 pUGagPvAp.exe 13->28         started        35 2 other processes 13->35 63 192.168.2.1 unknown unknown 15->63 87 Injects a PE file into a foreign processes 15->87 30 custody.exe 15->30         started        37 2 other processes 15->37 file5 signatures6 process7 dnsIp8 59 mail.classicbd.com 119.148.26.9, 465, 49700, 49702 AGNI-ASAgniSystemsLimitedBD Bangladesh 18->59 61 showip.net 162.55.60.2, 49699, 49701, 49706 ACPCA United States 18->61 49 C:\Users\user\AppData\Roaming\...\custody.exe, PE32 18->49 dropped 39 conhost.exe 22->39         started        41 conhost.exe 26->41         started        89 Tries to harvest and steal browser information (history, passwords, etc) 30->89 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 10:24:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpdetemtesw4n7o7rw37x62hkc4nteha2grf5xnhwtym3tiejucq._file
Verdict:
malicious
Similar samples:
270da7c5b8484ac3f7a0e90036e8e88f951de2ba3a22a0cc56e2b5cd8b0cafe3
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
43b0616d8f71811739454e94f8a91e47dfd51e0d30a38c7a90f78feb6b177556
DarkCloud
8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea
DarkCloud
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af
DarkCloud
d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
DarkCloud
+ 433 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230721-g6mc2scc77/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
SH256 hash:
4c0a085636ed5ebe403718ec31498ca8acc4bbb3089e0fa7652e20eb104d5533
MD5 hash:
d15ab1508930a66f38b38bf9f61e9e81
SHA1 hash:
9afd23bc448b02be3235b530e8d7c2394e276efe
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
SH256 hash:
aec4fa842cba931664f2e13b002970cff4ad0ea83baab568e6eef81d99107d55
MD5 hash:
39e53820872a3c83671e35c2c07479b7
SHA1 hash:
cff9ef6261aa1ed974bc0aad1fed763e4b2058b8
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
SH256 hash:
f0a13241950588d99de3028a28dec3233dcc0617526fe83fee27ccc2798622dd
MD5 hash:
76ad6f1fa08ec24a2ae2d06cffa2f00e
SHA1 hash:
8ff14607e076e761af5b1203183f4329b32022f9
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
SH256 hash:
9c94944e5af756ac33aa679bdd0d36d1f5b765fd9003258318a75f54b1865ca8
MD5 hash:
f35f3c178cd348f87c74ddd1798e1e80
SHA1 hash:
53211d1901aab8d568384363f399e251dd704589
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
SH256 hash:
83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05
MD5 hash:
c1128956f3a5d97d01eb3a9a63fce28e
SHA1 hash:
24472f38948b2bc2e7fcce07d3ba6f68a78b06d1
Link:
https://www.unpac.me/results/f3b00185-00a5-4e8c-bc2a-790ddd948984/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip cc40e0856cd5e37f6b8e17e76637d9fc3699bd36d9dae5b99477e1449cd32b4f

DarkCloud

Executable exe 83c649919324adc6fddf8db7fbfb4750b8d990e0d1a25edda7b4f0cdcd044d05

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cc40e0856cd5e37f6b8e17e76637d9fc3699bd36d9dae5b99477e1449cd32b4f
Cape
Cape
https://www.capesandbox.com/analysis/427310/
  
Dropped by
MD5 4d0be5f671b890e667017222c4c8fb0b

Comments