MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17
SHA3-384 hash: 885a52ca9e34730731328d3e2d865fdc6229c29d47bdc5840398ab62f8e3c0434400dafc79ee923d54763b264f432302
SHA1 hash: 4402e279a143fe7dfee2d729d618b8183711356b
MD5 hash: c95f6f14d74185580416b30bc0e3e1cd
humanhash: failed-apart-nine-lake
File name:Hesap hareketleriniz.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:872'448 bytes
First seen:2023-04-14 06:03:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:E47P77/imLGP9TfL2AG81IVwo6dG+kzltTbTr7VmeCe:3amLGP9TfL29815d741C
Threatray 132 similar samples on MalwareBazaar
TLSH T179052311B3779A11F43D173688C2440403B29913A522EB0E9DD631AE4B5F7D69FA2FAF
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesap hareketleriniz.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-14 06:10:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37687037-7052-4d74-8062-8a932dbfd2fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382144/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/6438ecd38cbb8f4be303ba1a/reports/4ac2b799-e002-4935-a0cd-97a1c78bb576/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2520594-1ef4-4d7d-8463-4d6871d387f6
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213662
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qry6ijayk63yye22nyfvwimo3yk7rud27kgiuibwgmxrw56374lq._file
Verdict:
malicious
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
DarkCloud
0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
DarkCloud
2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
DarkCloud
5bfe34e8eb631772435358e76505165c19651fb9750c1817a602e6e27d12c3bb
DarkCloud
67987af9c454a2d990d14f53a2fe1763447e58ed1a5d6deec4d41f258ff6772d
DarkCloud
bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
DarkCloud
c86d38aa757ac108e7d31f03848e49091391730cf0d132b71e70d487c919f68c
DarkCloud
ce33f260e52f5ea18962a5993e4275c41f527004b57ccc48d518b4ad3b310850
DarkCloud
d47c8ba828cb3c52a859e80ea08a306dcbe0c75d957c1809580d08e37c6407a7
DarkCloud
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
DarkCloud
+ 122 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230414-gsd5hshh91/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6184540341:AAESjcBiCB06MnsvcbWmwRqleegtfskivZ4/sendMessage?chat_id=2010050792
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
0bd065dd0bc665bbbe5584f8da0bafc5bf5d3bfc34c8830b87d8d0686e69a7f4
MD5 hash:
2ec28f348a1ff1aa3a08e5a25c73c18b
SHA1 hash:
68b2a0b4fbc49c76a1a63c984aa4f11b06db10f2
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
24a52c93323ed736d9352e4e8784ed03eca263e96f2ec59260d4f0893a9eba64
MD5 hash:
a0a4c7074e8401e7c85afb5708b7ece0
SHA1 hash:
9388073f2925d273c15fe40ca480da521ddc48d6
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
3e4d6bb2cb633b4057d1f41e29f090efe84d47d185ce8263fe27f4608ac1ea85
MD5 hash:
5a1770edd48cb1c38dd498930075c14b
SHA1 hash:
766ccca996d956bc8908b71c2e7a30404ecc2ff2
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
SH256 hash:
8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17
MD5 hash:
c95f6f14d74185580416b30bc0e3e1cd
SHA1 hash:
4402e279a143fe7dfee2d729d618b8183711356b
Link:
https://www.unpac.me/results/f4d778aa-d083-49be-bfeb-d7a7b789ca1b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382144/

Comments