MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434
SHA3-384 hash: cf0bc61bb109fb862413be7027093b5bdcc82cccccc9bb6abf54c140afc51c3e3ffcd72393e11b6c1df51e727b2f848f
SHA1 hash: 2df983ddaa037569897283e4045a988edd59e8cc
MD5 hash: 1d2834906adf4647502610778b690523
humanhash: stream-harry-chicken-delta
File name:CONFIRMACIÓN DE PEDIDO 0017161.js
Download: download sample
Signature DarkCloud
Create hunting rule
File size:2'329 bytes
First seen:2025-09-11 06:43:58 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:RYONIRX9wovYLYTXAuOWbyzEiWKQGRxidwBfhBW+6aSYG+TEm7NR:ktwAnOWbniWqRk6fDjBSYR/hR
TLSH T1F841408C3D41B1840F2352A39C1B8E0BA326FF59A45AD61DE032F4D43D18765FAAFA70
Magika javascript
Reporter abuse_ch
Tags:DarkCloud js

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c26fd66e66ba602d7a475c
Tags:
cryxos emotet
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434
Verdict:
Malicious
File Type:
js
First seen:
2025-09-10T06:03:00Z UTC
Last seen:
2025-09-10T06:03:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434/results?tab=lookup
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775373
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected Generic JS Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775373 Sample: CONFIRMACI#U00d3N DE PEDIDO... Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 23 files.catbox.moe 2->23 25 bg.microsoft.map.fastly.net 2->25 35 Suricata IDS alerts for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 13 other signatures 2->41 8 wscript.exe 2 19 2->8         started        signatures3 process4 dnsIp5 27 files.catbox.moe 108.181.20.35, 443, 49687 ASN852CA Canada 8->27 19 C:\Users\user\AppData\Local\...\b4KGK4f.exe, PE32 8->19 dropped 21 C:\Users\user\...\ORDER CONFIRMATION.exe, PE32 8->21 dropped 43 System process connects to network (likely due to code injection or exploit) 8->43 45 Benign windows process drops PE files 8->45 47 JScript performs obfuscated calls to suspicious functions 8->47 49 2 other signatures 8->49 13 b4KGK4f.exe 3 8->13         started        file6 signatures7 process8 signatures9 51 Antivirus detection for dropped file 13->51 53 Multi AV Scanner detection for dropped file 13->53 55 Writes to foreign memory regions 13->55 57 2 other signatures 13->57 16 RegAsm.exe 3 13->16         started        process10 signatures11 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->29 31 Tries to steal Mail credentials (via file / registry access) 16->31 33 Tries to harvest and steal browser information (history, passwords, etc) 16->33
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434/
Threat name:
Script-JS.Downloader.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 09:42:24 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 24 (41.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sadmyxvxu6qwanujwtxx6dvcnxk4tadv65yzfw4vtlwvyihmoq2a._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
error
DarkCloud
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250911-hn268ahq6z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9006cc5eb7a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9006cc5eb7a7a1603689b4ef7f0ea26dd5c98075f77192db959aed5c20ec7434

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments