MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
SHA3-384 hash: 9defd711ca3985306a1a67e3f03381bfcbc5178477bc1ecd93d85cf8f2547262dbcce207826294aae246f737b818c913
SHA1 hash: f17858860908363e78d577575ac9bd32fc1a6488
MD5 hash: 23dbd626f1ae7d12199439bd74e972a1
humanhash: wisconsin-equal-avocado-don
File name:REQUEST PRICE OFFER _2025_09 rmeEd23.bat
Download: download sample
Signature DarkCloud
Create hunting rule
File size:677'888 bytes
First seen:2025-09-09 13:13:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:+aqojL4e+NZIuScpFGoP4rPeMnK2QyT2Xu2l/m2QaQZNC5:3qzpQoP4rPpb45ukQ
Threatray 543 similar samples on MalwareBazaar
TLSH T17BE413042565AD16D0F31BB00A31D2791BF66DCAF422EB2A9EE93CCFB57F3141690761
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c616be734f5664628a2adb209b81ab73cb701b83d2ef3a16b2a5985daa1bb6f2.zip
Verdict:
Malicious activity
Analysis date:
2025-09-04 08:20:36 UTC
Tags:
arch-exec netreactor auto-sch-xml darkcloud
Link:
https://app.any.run/tasks/6200bc4c-552c-497d-ae6c-ca179f88bbd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26486/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c028906e66ba602d7968b8
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/68c029a2a1a41633174e8275/reports/a8123349-c3f1-40a5-88e0-fadf6873e7d6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T04:19:00Z UTC
Last seen:
2025-09-04T04:19:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e9a1ba8-31af-459e-80df-2b16ea9c17d9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86
Link:
https://app.malva.re/file/23dbd626f1ae7d12199439bd74e972a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 08:20:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rz6gdwy5jkxetxn5dk4fq37hklw32aptbvjbjzxgxqduupwakwea._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
255f2855810e99bf8b6f1ff7cd5b5920737ee19210d53e01f5de4302d75b3ade
DarkCloud
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
DarkCloud
bfd5c1ddd57dd2cf89518b5524ed3319502860bd876eba635985307d8042a0d1
DarkCloud
cd321908b065d6558e6dff785f8cb449d9a973bbb09370cdb2f587fb7bfa7349
DarkCloud
d2769c44ac1fc171c71e75f8cdb446a0615f0a151a49dff4720ad64c7d809ee4
DarkCloud
error
DarkCloud
+ 533 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence stealer
Link:
https://tria.ge/reports/250909-qkt1fabm5t/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74f90856-aef0-415b-97fa-b3eb4cee1347
Unpacked files
SH256 hash:
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
MD5 hash:
23dbd626f1ae7d12199439bd74e972a1
SHA1 hash:
f17858860908363e78d577575ac9bd32fc1a6488
Link:
https://www.unpac.me/results/cbea8085-735e-4972-b71a-ce46298919d1/
SH256 hash:
983e7bcac8312a5a362fc0ff5c571f6f34a3d4c01aeaad976210944ed0d0f67f
MD5 hash:
ce9998d4ad8e64128201f1e9293732b0
SHA1 hash:
1b6249980eef3df9eb7b2106b03cd3b89dc2badc
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/cbea8085-735e-4972-b71a-ce46298919d1/
Parent samples :
255f2855810e99bf8b6f1ff7cd5b5920737ee19210d53e01f5de4302d75b3ade
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
SH256 hash:
b11317fa8699a2cd3b212ac6adb602784ff345d18218adfb4f3249f66d50785e
MD5 hash:
d2e091beb2d35e61479b3eb02609262a
SHA1 hash:
56332f88097ea2ba830728b3c27615957e6b76f8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cbea8085-735e-4972-b71a-ce46298919d1/
SH256 hash:
e50b0550616c4ea9dc2d18d75084f50e6e7da2ccaa2c77a439026957105aad8f
MD5 hash:
540148a4209d7e2b88d0e24b919c2834
SHA1 hash:
5a2042f9c9946e57d02d0d4e9a1ba2c5b1246a1e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cbea8085-735e-4972-b71a-ce46298919d1/
Parent samples :
881aac6c0395e173fe15acd1baf9caf443e73e166176b5040ccdb7e34750ed58
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e7c61db1d4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26486/

Comments