MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b
SHA3-384 hash: a3118af7a150de1e4b51172dbf7c0d77562b0f7b7928ff00dfb420edd3ce9e7d16da638208fb14d14bfcbf25d5840d75
SHA1 hash: 248c9fd12c230df81cbda633463b5517af05fbe4
MD5 hash: 16176ed4d665a34c7ebdec58a7a81af0
humanhash: stream-mirror-venus-rugby
File name:t4567898765d0987.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:561'152 bytes
First seen:2023-11-01 06:25:25 UTC
Last seen:2023-11-01 08:16:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pAicOl1SeVWVUiFA/dTa3ILCGmvx16+jFGIVKsti1Ub7Czd:6VU80dO30CGmJY+JGIbU1vzd
Threatray 155 similar samples on MalwareBazaar
TLSH T17EC4DF513D5D4205D97EF7F0A2E34ED2832EBC299D298006D9F5B249957222BCCC2F9E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457493/
Detection(s):
SecuriteInfo.com.Trojan.KeyloggerNET.52.10064.14592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed zusy
Link:
https://www.filescan.io/uploads/6541ef7f34de31f579cf5268/reports/fecbc88b-94d1-448a-b605-5b5629a6a039/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edf48b85-ea40-4f3a-887e-e75f36a77eaf
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335227
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335227 Sample: t4567898765d0987.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 39 showip.net 2->39 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->53 55 4 other signatures 2->55 10 t4567898765d0987.exe 3 2->10         started        signatures3 process4 signatures5 63 Drops PE files to the user root directory 10->63 65 Writes or reads registry keys via WMI 10->65 67 Injects a PE file into a foreign processes 10->67 13 t4567898765d0987.exe 2 20 10->13         started        process6 dnsIp7 41 showip.net 162.55.60.2, 49736, 80 ACPCA United States 13->41 35 C:\Users\user\AppData\...\ConsoleApp1.exe, PE32 13->35 dropped 37 C:\Users\Public\vbsqlite3.dll, PE32 13->37 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 18 ConsoleApp1.exe 10 13->18         started        file8 signatures9 process10 signatures11 43 Antivirus detection for dropped file 18->43 45 Multi AV Scanner detection for dropped file 18->45 47 Machine Learning detection for dropped file 18->47 21 credentials.exe 2 18->21         started        24 csc.exe 5 18->24         started        process12 file13 57 Antivirus detection for dropped file 21->57 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->59 61 Machine Learning detection for dropped file 21->61 27 conhost.exe 21->27         started        33 C:\Users\user\AppData\...\credentials.exe, PE32 24->33 dropped 29 conhost.exe 24->29         started        31 cvtres.exe 1 24->31         started        signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 05:05:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rphkb2cym3qananvzzwbjrykynm5a6v7qwqfpvp7ysubnjse4e5q._file
Verdict:
malicious
Similar samples:
03f8dbf1f3cd5848a4b4bb6777b2143b3a6dd8bc34faa4f732509a7f539a2c64
DarkCloud
1bef6e9201c4c290b30a66be4c6aea4492966417eb5974f26b38ba9ed732bdd3
DarkCloud
29a08311df4b9c042dd63aa22583e129877ca0546cc40b6d502c1c9ca1d7075d
DarkCloud
8cf77a7dc3990a9bace47ff27082f1c535375b16eaf2a08209956969c55bb854
DarkCloud
9005c9522aa361a5fdc143f907b8fced088d2a92297fa7c32a510048a063f5ba
DarkCloud
a75fbc544ae5f8fc7fa7e9b5caa8fd353a175eefa51b1b9a991272682fa4c9b4
DarkCloud
eff81b3a8f5f065a55fa41bd19c23b34c740c25aace351a92ad4a96d03083f04
DarkCloud
fd8fff6a5f07a9d3be875b4b4ca47c6682eb439343f53ce5fa357a81ba708056
DarkCloud
+ 145 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/231101-g67c8adg26/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a6861bcf-9f4f-47cb-b11e-78dc1209d5bc/
SH256 hash:
0ddc50feb1961a195e81c5b646512ee4a4f9ae3571b7f4213ddce21c9cd527ca
MD5 hash:
ce8c8d07d94eb7e3edcd6ccf9ab7b326
SHA1 hash:
d7d5496293867dc5070da0765e8da369b97c3152
Link:
https://www.unpac.me/results/a6861bcf-9f4f-47cb-b11e-78dc1209d5bc/
SH256 hash:
b39991e0cf1630a6fb51e58475485017cb871bca1a115835abf895df24f18dde
MD5 hash:
fa4f67bc731fc3c41fb6d2609a7ddd76
SHA1 hash:
a7b387ac011f0ac1a6ce602c9bc30d89d487f09d
Link:
https://www.unpac.me/results/a6861bcf-9f4f-47cb-b11e-78dc1209d5bc/
SH256 hash:
781a471adaad3e8f99e84504cbafeb260fe3b5387bcd357a959af40ea7685701
MD5 hash:
2a72e16e21014b3d05d500a70470499c
SHA1 hash:
1446f9321f6743222045c901aeed56657044f233
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/a6861bcf-9f4f-47cb-b11e-78dc1209d5bc/
SH256 hash:
8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b
MD5 hash:
16176ed4d665a34c7ebdec58a7a81af0
SHA1 hash:
248c9fd12c230df81cbda633463b5517af05fbe4
Link:
https://www.unpac.me/results/a6861bcf-9f4f-47cb-b11e-78dc1209d5bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 8bcea0e85866e00681b5ce6c14c70ac359d07abf85a057d5ffc4a816a644e13b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457493/

Comments