MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde
SHA3-384 hash: bdee445094ebb5cd703dbb6f314bd924e7579245437fef915b249e6e08cb3bfabe4345113e3970dd404486fb0e4203d3
SHA1 hash: 32a258bccbeda4b9bba2d7bbc4679a31fa58bb81
MD5 hash: fdbce7853fd4e5e1e10d6060f6dae122
humanhash: lithium-jig-johnny-east
File name:Purchase List Xls.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'123'328 bytes
First seen:2023-09-21 06:52:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:yV1gBwoZLueV335shh2AvxocjcmLH3yd2OluON4fA9uC:yV1zoQAZbAv2vmD3yd2OluON4fA9u
Threatray 193 similar samples on MalwareBazaar
TLSH T1CA35CFA022E69F55F036A3B00705C5634792FDFAE23FD35A2B417A064D7D98268D2BD3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c0bed49cad2d3922 (15 x SnakeKeylogger, 9 x AgentTesla, 2 x HawkEye)
Reporter TeamDreier
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase List Xls.exe
Verdict:
Malicious activity
Analysis date:
2023-09-21 06:53:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cec83078-eb51-4b41-b656-45afca14e0a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450271/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.24443.54.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650be852f1b40cb0d61fc0f9/reports/026d5fa5-ff5d-46f5-b5e8-c73e0e472fef/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4f6d6b0-4f52-4b76-bde3-0e2356949bcd
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312066
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1312066 Sample: Purchase_List_Xls.exe Startdate: 21/09/2023 Architecture: WINDOWS Score: 100 53 showip.net 2->53 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 8 other signatures 2->63 8 Purchase_List_Xls.exe 6 2->8         started        12 sCCATp.exe 5 2->12         started        14 quipped.exe 2->14         started        16 quipped.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\sCCATp.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmpAE79.tmp, XML 8->51 dropped 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 8->73 18 Purchase_List_Xls.exe 1 132 8->18         started        23 schtasks.exe 1 8->23         started        25 Purchase_List_Xls.exe 8->25         started        75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 79 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->79 27 schtasks.exe 1 12->27         started        29 sCCATp.exe 104 12->29         started        81 Writes or reads registry keys via WMI 14->81 83 Injects a PE file into a foreign processes 14->83 31 schtasks.exe 14->31         started        33 quipped.exe 14->33         started        35 quipped.exe 16->35         started        37 schtasks.exe 16->37         started        signatures6 process7 dnsIp8 55 showip.net 162.55.60.2, 49759, 49762, 49772 ACPCA United States 18->55 47 C:\Users\user\AppData\Roaming\...\quipped.exe, PE32 18->47 dropped 65 Found many strings related to Crypto-Wallets (likely being stolen) 18->65 39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        43 conhost.exe 31->43         started        67 Tries to harvest and steal browser information (history, passwords, etc) 35->67 45 conhost.exe 37->45         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 21:12:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
18 of 35 (51.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ra4mr3bk2ht7hwnu57gtydbbgrihtcggbek3fivgx4iovqx3htpa._file
Verdict:
malicious
Similar samples:
16329a763d15e6e2a873bf3c0ca87f5cbce617912ba840b2a375a65225f43b50
DarkCloud
46165206f430648e60c96434490576705decd79d2641b99110e277c7c2dad1d5
DarkCloud
62456d25e43ca60a3c6763d68a70b39d09138b56b287a40f95584b563ac5bb11
DarkCloud
78b984255563f6e9fd26b210764ed39935bc6bb73258e417b2cd88f5b2c53399
DarkCloud
7bdbdf1864e94261b323235ffa2dd241a953f89dae35a2115662cac696e65dfd
DarkCloud
9a47498d6cca04174397628bd83a00ecf809d4d58d8c523912b8a85586f87658
DarkCloud
db8e8b79571753172812ca401f3baebabf3ddabd02c6be0dff616a618e06f783
DarkCloud
e2156ff475b7949c41408fa558cb1db6fab7ea0d5696c3299d6d6ad9ff478bbf
DarkCloud
f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
DarkCloud
+ 183 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud evasion stealer
Link:
https://tria.ge/reports/230921-hnmfrsea4y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/bfcbc4fa-a44a-4b16-9c6f-e264d7f9c7b8/
SH256 hash:
0b4c93addb0071e4cc368bc5e46a535e2eafd360b5db8b6c87620d7225eade2d
MD5 hash:
e17d9bb18c1bf12de8c75fa570f4cf72
SHA1 hash:
97751a31524557387d136e0e42e204186d00b5dd
Link:
https://www.unpac.me/results/bfcbc4fa-a44a-4b16-9c6f-e264d7f9c7b8/
SH256 hash:
87123bdffc47621682d51d0dec6190cfe753239a94f356b3de995ee486a04420
MD5 hash:
cc4d4ba22a9e21caf42de39903374d7b
SHA1 hash:
5c061e26a6dabee93fa8e1d5b4d0f812f41a489f
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/bfcbc4fa-a44a-4b16-9c6f-e264d7f9c7b8/
SH256 hash:
f46ffa4a4b70b3393cf3c4f03bc85feea9f7dc50a92f743bc68064f4c46ff25e
MD5 hash:
16da63459dbb41179d27d587d0fe4305
SHA1 hash:
1b4fdcb50003898c80006417f98c0724c88d2bfd
Link:
https://www.unpac.me/results/bfcbc4fa-a44a-4b16-9c6f-e264d7f9c7b8/
SH256 hash:
8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde
MD5 hash:
fdbce7853fd4e5e1e10d6060f6dae122
SHA1 hash:
32a258bccbeda4b9bba2d7bbc4679a31fa58bb81
Link:
https://www.unpac.me/results/bfcbc4fa-a44a-4b16-9c6f-e264d7f9c7b8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8838c8ec2ad1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450271/

Comments