MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
SHA3-384 hash: 47768cb36e9cc905d225f3185ba6ddbcc228f88df70f1c0ceec794a91dfb20e081ab03e7371ebc307969bfce2a89e601
SHA1 hash: 04039b7f69cc9264ad41029b916110bbef44a896
MD5 hash: 977f2ac7c4ccb4b8b4a5f961ff2aa6fe
humanhash: south-skylark-kilo-wolfram
File name:pagos.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'351'543 bytes
First seen:2023-04-22 09:42:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:aTbBv5rUDoZ++AdLAXjXXRQFX8KZ4IXIJJpUUBQjqfYTfz7V2EggiVEoWc:sBpZ+HdUtQSVLzUUZ8V2Egf
Threatray 576 similar samples on MalwareBazaar
TLSH T17B5512027EC198B3D47308365976AB31A93E7D205F748ECF2790661EDE326C1E2357A6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f874e6e2aaaca8a9 (2 x DarkCloud, 2 x SnakeKeylogger)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pagos.exe
Verdict:
Malicious activity
Analysis date:
2023-04-22 09:44:51 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/9ca0a3b6-3022-4ed8-bd81-9adc22274a28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384237/
Detection(s):
Win.Dropper.Nanocore-9987974-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80924/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit explorer.exe greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6443ac2890012911b69903b2/reports/1e0bb585-b2e4-4db1-92d2-bd6d843856b2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f1df263-544f-44e8-9a7e-e30d4b71344d
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219149
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852095 Sample: pagos.exe Startdate: 22/04/2023 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 3 other signatures 2->62 8 pagos.exe 43 2->8         started        12 liweh.pif 2->12         started        14 liweh.pif 1 2->14         started        16 liweh.pif 2->16         started        process3 file4 44 C:\Users\user\AppData\Local\...\liweh.pif, PE32 8->44 dropped 68 Drops PE files with a suspicious file extension 8->68 70 Starts an encoded Visual Basic Script (VBE) 8->70 18 wscript.exe 1 8->18         started        72 Writes to foreign memory regions 12->72 74 Allocates memory in foreign processes 12->74 76 Injects a PE file into a foreign processes 12->76 20 RegSvcs.exe 1 12->20         started        22 RegSvcs.exe 1 12->22         started        24 RegSvcs.exe 1 14->24         started        26 RegSvcs.exe 14->26         started        28 RegSvcs.exe 16->28         started        30 RegSvcs.exe 16->30         started        signatures5 process6 process7 32 liweh.pif 1 3 18->32         started        file8 42 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 32->42 dropped 48 Antivirus detection for dropped file 32->48 50 Multi AV Scanner detection for dropped file 32->50 52 Writes to foreign memory regions 32->52 54 2 other signatures 32->54 36 RegSvcs.exe 15 32->36         started        40 RegSvcs.exe 1 32->40         started        signatures9 process10 dnsIp11 46 showip.net 162.55.60.2, 49697, 80 ACPCA United States 36->46 64 Tries to harvest and steal browser information (history, passwords, etc) 36->64 66 May check the online IP address of the machine 40->66 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 20:53:30 UTC
File Type:
PE (Exe)
Extracted files:
109
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryldas3vngelr7w7m7e4b3xdrbz7u5b2f2n6v2n7y66eiidonjoq._file
Verdict:
malicious
Similar samples:
0349fcd562c68adc726cea4e84cf6dab9c572a6cbb97c2018a9092126524d719
DarkCloud
209796f7defbaddb78d4068d6dcb5c2bb81508987eb3a07090513d5171cc9e69
DarkCloud
331c2f4bff1f7b905846094bf883b8d67efa9f6698c57169bff85fd4382da009
DarkCloud
4cfdf43b2f81fcb05ededad0c6e3a9d58f08a22320a36aece3a56c911ffb7af5
DarkCloud
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
DarkCloud
60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38
DarkCloud
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
DarkCloud
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
DarkCloud
8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e
DarkCloud
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
DarkCloud
+ 566 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230422-lpw85sfh4t/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/25276c6f-ecd7-4c97-a0ac-1adaa4b5a0b1/
SH256 hash:
f885a40d63e46e455a4e8afeca78f8a4bb284b3dd9b6403e64c3ea53b142059c
MD5 hash:
d85213d4834ecb6724c1efd5fe73fbeb
SHA1 hash:
0ad545faeade168157d663789fece184a9294a9b
Link:
https://www.unpac.me/results/25276c6f-ecd7-4c97-a0ac-1adaa4b5a0b1/
SH256 hash:
a1750a23d1ffe734cb8d3737432201769ac76b1d5eb2ca3c5ec20e004e523466
MD5 hash:
50bfae877b6c741b14e9b90ea81cdbfb
SHA1 hash:
3d56057e97baae733882e2c14147d1cf756705ff
Link:
https://www.unpac.me/results/25276c6f-ecd7-4c97-a0ac-1adaa4b5a0b1/
SH256 hash:
8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
MD5 hash:
977f2ac7c4ccb4b8b4a5f961ff2aa6fe
SHA1 hash:
04039b7f69cc9264ad41029b916110bbef44a896
Link:
https://www.unpac.me/results/25276c6f-ecd7-4c97-a0ac-1adaa4b5a0b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e16304b7569/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 7bb5644af505f02103e7099678847ca8b8a3e8b6286599c024f84851c05aa2e8

DarkCloud

Executable exe 8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7bb5644af505f02103e7099678847ca8b8a3e8b6286599c024f84851c05aa2e8
Cape
Cape
https://www.capesandbox.com/analysis/384237/
  
Dropped by
MD5 537a52aab972bded43038013142af3d8

Comments