MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
SHA3-384 hash: 4cd130f3ae8958bf5a8fe7f56405a63f6a19b0a430b62b6b47131bc748ac7bfec7bb0b3e09a275edfc56a8b970bda9a3
SHA1 hash: ff4e722708bc2f25cc17908091aad7645c446076
MD5 hash: 5214925401a3a4308de915683c2ad217
humanhash: lactose-undress-sink-saturn
File name:HESAP____________________________________________________________________________________________ BEYANI.___PDF.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:871'424 bytes
First seen:2024-01-19 16:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Uc/MERbgWhZnE5evnYrPJBoz8vxnt/qjC/ypAosmF43YMS4gvu:Uc/T/7E5egrj5F52CSA0aYHR
Threatray 478 similar samples on MalwareBazaar
TLSH T173052344B3BC5755CF2503F09D90002C0B7D742EAB70EB6A8E8A69DB96577234A43B9F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471732/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Win.Packed.Filerepmalware-10019156-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65aaa5743a0cf312d51760d7/reports/fe66c820-3309-4180-9228-e5c624fb7a2d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/675b43eb-8142-47e5-bed3-97174073996b
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377609
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 12:41:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzbw3q3uw4p4wuli3g52ooaeez3xartkst2kyidykae4q6m3zabq._file
Verdict:
malicious
Similar samples:
3086aab6085c707f06ba83f20a0cd8ebe4d1c59af1f9d76039e34c1f5c07459a
DarkCloud
46165206f430648e60c96434490576705decd79d2641b99110e277c7c2dad1d5
DarkCloud
78b984255563f6e9fd26b210764ed39935bc6bb73258e417b2cd88f5b2c53399
DarkCloud
8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde
DarkCloud
8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
DarkCloud
9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
DarkCloud
d56fba09ff195114fdf8404435b83e2b9e49193e9e97afc3adef35610714462c
DarkCloud
d99f72c298895809260b08284f4b62ed07680b3aef96b6ebf0155e0690bc0835
DarkCloud
+ 468 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240119-t5dqqshhan/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
SH256 hash:
3bd639fb0008b19a58e2193c842e8b9444f27cb799d279f367fad25a8a44bc72
MD5 hash:
191e739361bcbaa4402d8734e1f8f5ba
SHA1 hash:
e52b9dd7ac0c15f8f2e822d88a015cee27455061
Detections:
darkcloudstealer
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
SH256 hash:
cebeb7cbc2bb990be0392824b4d43a39b4e7a7f0a9cf24ff75d4d5c209b068ac
MD5 hash:
7e135c9a6c3652b44c4ed581a1ea13fb
SHA1 hash:
7311ae1ecd7831a7342d0c167c26bb840552f479
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
SH256 hash:
65f514423c41bfd03faab1c5758a238c902e10cd75f030fd0b38e744cfd6d089
MD5 hash:
57f0205570c40ee07eea4190039bcb60
SHA1 hash:
6a69d26498da0f5929083bf3ad2a1e5177a4a67e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
Parent samples :
86285f3a7c555199aa898576925efe7020933bfe73ea07aff19712b651dabdf1
8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
SH256 hash:
d578727754278e55abe7f4620423e45ef4ee4f139ae62e778bd20f5f852a855d
MD5 hash:
4342ed4f76f1fc1261f3a9aa7fdf18b3
SHA1 hash:
658daccf9f37d2170c54604d3d05564045cc5aaf
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
SH256 hash:
8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803
MD5 hash:
5214925401a3a4308de915683c2ad217
SHA1 hash:
ff4e722708bc2f25cc17908091aad7645c446076
Link:
https://www.unpac.me/results/03c18f36-a3f0-4bc2-9d7b-8f9d7cb72091/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 8e436dc374b71fcb5168d9bba73804267770466a94f4ac20785009c8799bc803

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/471732/

Comments