MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf
SHA3-384 hash: b044b64b57db4617d8587effb097e066d35591341140b95d0ef3fdc36b0d129c89d38bf200c7ab523f2b179d01d0255e
SHA1 hash: 6a5bafaf92e61712334b568d56896eb2613666c7
MD5 hash: e9a32c39471da0a007579b86dfd4ce38
humanhash: montana-uniform-burger-romeo
File name:e9a32c39471da0a007579b86dfd4ce38
Download: download sample
Signature DarkCloud
Create hunting rule
File size:910'848 bytes
First seen:2023-07-26 07:39:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'853 x AgentTesla, 19'780 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:7f1xUL3sZxy6bpyVnJatGLtBxqg6IOBc8/M/:TT2f6NyVnJatGLHogXO28k/
Threatray 171 similar samples on MalwareBazaar
TLSH T1D6151215AC695E08C83B53B0925587140FA3ED9AA931DE9569F321DFDD37FE032C0AA3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7aca8abab4a4b8da (33 x AgentTesla, 32 x SnakeKeylogger, 4 x DarkCloud)
Reporter zbetcheckin
Tags:32 DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product-List.docx
Verdict:
Malicious activity
Analysis date:
2023-07-26 05:05:07 UTC
Tags:
exploit cve-2017-11882 loader darkcloud
Link:
https://app.any.run/tasks/5e145cce-607d-4918-bbf4-b520d216d150

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433440/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64c0cdd52ad0f7418d6aeb8d/reports/584d730e-ed98-4a2f-892e-88b25dc414f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/628d8843-c7b4-47f1-b664-bacc9c4111bb
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279894
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279894 Sample: HI6OAPwutQ.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: Scheduled temp file as task from temp location 2->68 70 5 other signatures 2->70 7 HI6OAPwutQ.exe 7 2->7         started        11 mAOwtrwDPqE.exe 5 2->11         started        13 fryers.exe 2->13         started        15 fryers.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\...\mAOwtrwDPqE.exe, PE32 7->50 dropped 52 C:\Users\...\mAOwtrwDPqE.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmp3905.tmp, XML 7->54 dropped 56 C:\Users\user\AppData\...\HI6OAPwutQ.exe.log, ASCII 7->56 dropped 72 May check the online IP address of the machine 7->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 76 Adds a directory exclusion to Windows Defender 7->76 17 HI6OAPwutQ.exe 1 17 7->17         started        21 powershell.exe 17 7->21         started        23 schtasks.exe 1 7->23         started        78 Multi AV Scanner detection for dropped file 11->78 80 Writes or reads registry keys via WMI 11->80 82 Injects a PE file into a foreign processes 11->82 25 mAOwtrwDPqE.exe 15 11->25         started        27 schtasks.exe 1 11->27         started        29 fryers.exe 13->29         started        31 schtasks.exe 13->31         started        33 fryers.exe 15->33         started        36 4 other processes 15->36 signatures5 process6 dnsIp7 58 showip.net 162.55.60.2, 49699, 49700, 49701 ACPCA United States 17->58 48 C:\Users\user\AppData\Roaming\...\fryers.exe, PE32 17->48 dropped 38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        60 192.168.2.1 unknown unknown 25->60 42 conhost.exe 27->42         started        44 conhost.exe 31->44         started        62 Tries to harvest and steal browser information (history, passwords, etc) 33->62 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 04:35:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rds3agkxqweq2msoysprduh47upthqfwdu3eqjpgxmciggv4p67q._file
Verdict:
malicious
Similar samples:
0802c13f11828457c8cd914c34d00517fc2ddccfb9060f34d90d01c01db4e47e
DarkCloud
11592500f755d82318d47eca784ea07ae649253a8655687d1c61f852f9e9eac9
DarkCloud
2150f0caeac604ff6b396c3cf863dab727dca9b3c996a7a2aa7e5ea78d0bdae3
DarkCloud
295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87
DarkCloud
36d0c8e58fabe82307b7b36444e075f5dccd1a57e7b73551d335f76645b11274
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
DarkCloud
ad9af6543f3eda2c556ad005fc4f5b3b3b5298f54312d1fda5354534903f55af
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
c5dc5d0cc0ec3f2f607941f8d44019001ca18ab09abda656d4e68a5219d0e576
DarkCloud
+ 161 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230726-jhlsqaab87/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
SH256 hash:
7060005d0f5e468ccf3aa3b7aadf5eb3a860fafd6f6dc41fbbb11f2565cc0ba9
MD5 hash:
a35822109fa5921d8f28d69f0b699e95
SHA1 hash:
aa9ad4e419fc0fb7fa3e748f537c6091d57854f4
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
SH256 hash:
1bf69033e97a8ad8d59469dd2f1aa57bab7461345e9993acc83afa48029c95ac
MD5 hash:
58419415321b3303da79fcd299874125
SHA1 hash:
a7a4c4fb47ccefd232a543219e2f4e0e12520912
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
SH256 hash:
9cf2d50d4a220b9847fc0242e338b5ca7d7f5c8af038ec8306cceee31f8fa4db
MD5 hash:
60d4e64c6865153865ee7c311d66990f
SHA1 hash:
1e61cbcf723cd0d127fcd8cd7233056f06dba6c9
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
SH256 hash:
88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf
MD5 hash:
e9a32c39471da0a007579b86dfd4ce38
SHA1 hash:
6a5bafaf92e61712334b568d56896eb2613666c7
Link:
https://www.unpac.me/results/52bb563a-0bd9-40d5-9710-ff304dc87fc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2690167/
Cape
Cape
https://www.capesandbox.com/analysis/433440/

Comments


Avatar
zbet commented on 2023-07-26 07:39:28 UTC

url : hxxp://107.175.202.150/110/ChromeSetup.exe