MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e
SHA3-384 hash: ce3cb6dbaf4c48f7e5cb50f402af775defd4a789171d4e02d322c419fd4f0bc60be36793cc1beac6eaa92aa57a3f0910
SHA1 hash: 401f302dd6ceda507d934ba07f5e88c64315be98
MD5 hash: 73f5c3149f33caa94257f4186362ba59
humanhash: four-yankee-five-montana
File name:SecuriteInfo.com.Win32.DropperX-gen.14973.2975
Download: download sample
Signature DarkCloud
Create hunting rule
File size:887'808 bytes
First seen:2023-01-18 19:31:11 UTC
Last seen:2023-01-18 20:30:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:N3UhASDj5uufB+vyq+3C73qgYOCXGZxQTl:VMASvAeqylS73QZWjQTl
Threatray 6'260 similar samples on MalwareBazaar
TLSH T1A7158C410A7B82F2E4F94E78167CA4182BA21CD147BDB13A7D8A7DBA8DE774F0055723
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.14973.2975
Verdict:
Malicious activity
Analysis date:
2023-01-18 19:32:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b919359-6056-4074-ab4d-748c41a387fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354243/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.14973.2975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c8493786e9647bb4c9d822/reports/f1744bef-ce8a-43d1-ac20-85f387b9c2b4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/abcbb2c0-edc8-47d4-b032-04ee9b3cebe4
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154130
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 16:43:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfiovgzrmizikhszlubg3jroafbbwr6tt5zqmya2xlz55b7tevha._file
Verdict:
malicious
Similar samples:
0113aeb6aaebe1d0bf883dd7722ac71903050fdbfb17c4f9a59aa60454c869a8
DarkCloud
0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf
DarkCloud
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
DarkCloud
2cb40ab75643b224448586afb5e342971d2a5f42c07a21138a63ef7b76a3a6e7
DarkCloud
3c703c79f804220c6210cef1c0e98cd7cdce8848e84483b5d371e05f5edf02a5
DarkCloud
40bb1d2fd1174f9047e958b334f30d31947f8932593bd9ed57b43ecc0603db93
DarkCloud
61e24fa304b102fc323770b791f3d9bae4b3740a802e3ae3624824effc432e20
DarkCloud
97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a
DarkCloud
c1b8faa891f21358fbbe8b002c0324aa0f2f9358df374b6e40e9676bc54c55d2
DarkCloud
ec4aa8a64d9d8e0591d04f1bbe057fd665df8d9c083bd4070f4326862b1753d6
DarkCloud
+ 6'250 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230118-x8y3macf6s/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
51bde07d241c86749cbe9b601240653e56e57d5179769c2e6979e2a5781a859b
MD5 hash:
1005211954cb7f385f530da62453e734
SHA1 hash:
82233b095362f9b7632aef9a77ab2ad647e9654e
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
502e7fadb550d829680b4569255cb8b8e02a914be427bb67db4791b8b4274a61
MD5 hash:
05229d8e9c1990a2fa1ece38d4e99e66
SHA1 hash:
ec335415b9228033a29072619fcd67de67dfe031
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
9529a00733e717823e4e3663f139a37e58cbc86aa056e5ba14b2fbb2a05f0776
MD5 hash:
c2ab74827efb3731963256650119d45a
SHA1 hash:
cc40f9361fd798ab03c46c82473ec0663bb1068e
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
3a1108ba9eb7617758c85b4795254d0b012a05d4acb5462d39363dc9f77e5eb5
MD5 hash:
8e5d2da72113328b9dbc4fd1b1ac94b6
SHA1 hash:
af5d6eb888a1646618f9b2d31f4a9dad6bdecd94
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
SH256 hash:
8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e
MD5 hash:
73f5c3149f33caa94257f4186362ba59
SHA1 hash:
401f302dd6ceda507d934ba07f5e88c64315be98
Link:
https://www.unpac.me/results/9a5c3c0d-a551-4744-babf-4c2e5c517f1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354243/

Comments