MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
SHA3-384 hash: 8fa33065f804bcc0ae317f9a7d49e1274b99294235aa00541adff45a6536936ad27079145cb04abe3d5a1c03fdd4e5ec
SHA1 hash: ebf524dbe0a9adec78fca81308574a26c7c466c6
MD5 hash: 2d2d2d51c9dec0a7811ff8ffc4827689
humanhash: edward-edward-ack-high
File name:SOA.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:436'229 bytes
First seen:2023-07-18 06:58:05 UTC
Last seen:2023-07-18 07:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:pYbyIfr4roCQxOCz0oPcujV0qtaGSTv8mY/L:pYbRf8r5zCz0oPcAO27SomYz
Threatray 17 similar samples on MalwareBazaar
TLSH T1E1941275F6D0C1F7E59981B245B92A661FF28323946CC40B0338EB94B5375B2626BF42
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 07:00:05 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/8e5ffd54-70c4-4acb-bcca-650f4bb30b00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423272/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Zum.Androm.1.23109.9913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control darkcloud lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b638362ad0f7418d6a0303/reports/fdd55804-eb83-4b80-adce-d973c9145a7f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08214726-cc8d-4920-a85c-04182c410870
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274905
Signature
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274905 Sample: SOA.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 5 other signatures 2->53 6 SOA.exe 1 20 2->6         started        10 oktdyienws.exe 18 2->10         started        12 fixed.exe 18 2->12         started        14 fixed.exe 2->14         started        process3 file4 29 C:\Users\user\AppData\...\oktdyienws.exe, PE32 6->29 dropped 31 C:\Users\user\AppData\Local\...\rclekbmt.dll, PE32 6->31 dropped 59 Detected unpacking (changes PE section rights) 6->59 61 Detected unpacking (overwrites its own PE header) 6->61 63 May check the online IP address of the machine 6->63 75 2 other signatures 6->75 16 SOA.exe 2 55 6->16         started        33 C:\Users\user\AppData\Local\...\rclekbmt.dll, PE32 10->33 dropped 65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 69 Maps a DLL or memory area into another process 10->69 21 oktdyienws.exe 49 10->21         started        35 C:\Users\user\AppData\Local\...\rclekbmt.dll, PE32 12->35 dropped 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->71 73 Writes or reads registry keys via WMI 12->73 23 fixed.exe 12->23         started        37 C:\Users\user\AppData\Local\...\rclekbmt.dll, PE32 14->37 dropped 25 fixed.exe 14->25         started        signatures5 process6 dnsIp7 39 us2.smtp.mailhostbox.com 208.91.198.143, 25, 49698, 49701 PUBLIC-DOMAIN-REGISTRYUS United States 16->39 41 showip.net 162.55.60.2, 49697, 49699, 49705 ACPCA United States 16->41 43 192.168.2.1 unknown unknown 16->43 27 C:\Users\user\AppData\Roaming\...\fixed.exe, PE32 16->27 dropped 55 Creates multiple autostart registry keys 16->55 45 208.91.199.223, 25, 49700, 49703 PUBLIC-DOMAIN-REGISTRYUS United States 21->45 57 Tries to harvest and steal browser information (history, passwords, etc) 25->57 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 23:57:22 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riggd4u2ujux4rfgdf33ybwdz5gcxwbcr26a7iakybl3on276lwq._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
270da7c5b8484ac3f7a0e90036e8e88f951de2ba3a22a0cc56e2b5cd8b0cafe3
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
43b0616d8f71811739454e94f8a91e47dfd51e0d30a38c7a90f78feb6b177556
DarkCloud
62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d
DarkCloud
695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9
DarkCloud
89787eecba81c6d44901dcc74adc393548414b4e1c7f642f0fbe4a9ccfba039a
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af
DarkCloud
+ 7 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230718-hr3bdshe8y/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4a0f317e-5702-4af7-a2ac-74d69ec33082/
SH256 hash:
d62a2f867fb54c998bc3432df68b7f80ff4bacf75c6524168f72945ea0fd3225
MD5 hash:
2cd444b55fbe38d65e18e9c7720cd08c
SHA1 hash:
deef282f8dacf180aa721a08ae7710db760db206
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/4a0f317e-5702-4af7-a2ac-74d69ec33082/
SH256 hash:
e0900b99e6cf0907b06e9f5a88ada6301f62ede0204bedbf210f936588f19c10
MD5 hash:
d039cba14a0f7cd0e74baf052c3fa236
SHA1 hash:
5b3e8d07191e642186a1543f38161efb2bd6e211
Link:
https://www.unpac.me/results/4a0f317e-5702-4af7-a2ac-74d69ec33082/
SH256 hash:
8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
MD5 hash:
2d2d2d51c9dec0a7811ff8ffc4827689
SHA1 hash:
ebf524dbe0a9adec78fca81308574a26c7c466c6
Link:
https://www.unpac.me/results/4a0f317e-5702-4af7-a2ac-74d69ec33082/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 0bd93a3f99ba7af290a968f54e6aa9dd7f7d38dd59a033ae78afbee46a641e83

DarkCloud

Executable exe 8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0bd93a3f99ba7af290a968f54e6aa9dd7f7d38dd59a033ae78afbee46a641e83
Cape
Cape
https://www.capesandbox.com/analysis/423272/
  
Dropped by
MD5 ba1ab875cfba0aafc6d8825874f31a7f

Comments