MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5
SHA3-384 hash: cad8976c71f5e36ed1e4df1dc12515ddfb85e91b5c783110af74e7bbe3561fa4f7e9511c4325a26d20d6af25206e441f
SHA1 hash: 159c9dc24095316da8abcef8aa44506c78307a31
MD5 hash: 51d889441d1ae8fa7c2fcc3be3ba9b10
humanhash: coffee-oregon-august-eighteen
File name:(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.js
Download: download sample
Signature DarkCloud
Create hunting rule
File size:933 bytes
First seen:2023-04-14 06:49:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:p+jZa85my142MfcmZE/CA82cEXEkfdbNeee:Ua8ZPSc6wVNcEHFc
TLSH T15811590E9C1CE18662713BFAAB1BAA0CDCE1483B2613E612768CDEC06F3412405A4D6F
Reporter cocaman
Tags:DarkCloud js

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit nemucod obfuscated remcos shell32.dll
Link:
https://www.filescan.io/uploads/6438f79c0c9f1744b585f803/reports/8687c171-dbe2-44b9-8298-908827536265/overview
Verdict:
Malicious
Labled as:
Exploit.EXE
Link:
https://www.hybrid-analysis.com/sample/876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5
Result
Verdict:
MALICIOUS
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213700
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
JavaScript file contains suspicious strings
JScript performs obfuscated calls to suspicious functions
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846628 Sample: (NATIONAL_UNIVERSITY_OF_SIN... Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected DarkCloud 2->46 48 5 other signatures 2->48 8 wscript.exe 14 2->8         started        process3 dnsIp4 32 transfer.sh 144.76.136.153, 443, 49691 HETZNER-ASDE Germany 8->32 24 C:\Users\user\AppData\Roaming\chrome.exe, PE32 8->24 dropped 52 System process connects to network (likely due to code injection or exploit) 8->52 54 Benign windows process drops PE files 8->54 56 JScript performs obfuscated calls to suspicious functions 8->56 13 chrome.exe 19 8->13         started        file5 signatures6 process7 file8 26 C:\Users\user\AppData\Local\...\ucpmnyjlw.exe, PE32 13->26 dropped 58 Antivirus detection for dropped file 13->58 60 Multi AV Scanner detection for dropped file 13->60 17 ucpmnyjlw.exe 13->17         started        signatures9 process10 signatures11 34 Antivirus detection for dropped file 17->34 36 Multi AV Scanner detection for dropped file 17->36 38 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->38 40 3 other signatures 17->40 20 ucpmnyjlw.exe 1 33 17->20         started        process12 dnsIp13 28 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 20->28 30 showip.net 162.55.60.2, 49698, 80 ACPCA United States 20->30 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 08:15:21 UTC
File Type:
Text (VBS)
AV detection:
13 of 36 (36.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5wvvqeorz5sygk2pctkm4g4gaw44zxfg6qqt4xagni427ksrhkq._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230414-hlye9aab7v/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6111853930:AAG17B4Rp0N5JOuu_E6TDmywX961M_dYkrI/sendMessage?chat_id=5237953097
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/876d5ac08e8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8

DarkCloud

Java Script (JS) js 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8
  
Dropped by
MD5 a1a68f938b704977018d5a0ef3e544cf

Comments