MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034
SHA3-384 hash: 29609b8e944601c0f301049740854b069cb3f36bda713535926e91c8cc81db7519d42b4bf08d007dfb47c0bc1b97c0c0
SHA1 hash: f41e739dfdd37e5e0f94396d9d1b91c24e7dc893
MD5 hash: 4f500332f579994a734dea2262ca357c
humanhash: low-violet-indigo-zebra
File name:4f500332f579994a734dea2262ca357c
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'395'200 bytes
First seen:2023-08-24 01:50:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:YSklCe9qhJDFj3X6YSIhxH3vI8AZQyyNgdViU6wv7otnIhKx7Fz8I8:YlCe9qhJDFnhh5wjZkNgdViJI0tIsyI
Threatray 518 similar samples on MalwareBazaar
TLSH T1CA55E16A63744B05CA3C93F1DC917F20235A0FED20A4E2963DA67CD67BB27D184426DB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 232b336925332b0f (2 x AgentTesla, 1 x DarkCloud, 1 x Formbook)
Reporter zbetcheckin
Tags:32 DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f500332f579994a734dea2262ca357c
Verdict:
Malicious activity
Analysis date:
2023-08-24 01:50:35 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/bc0a2f0c-c39b-4f82-9dd0-6d9c37e808c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444377/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64e6b7866cb869596a918fdd/reports/985e5979-8974-46f9-be62-c0ad3ccb4bf4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19d77a8c-f859-4a57-b37b-4c6b870a3153
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296293
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1296293 Sample: Xhbe43BCyu.exe Startdate: 24/08/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 5 other signatures 2->44 6 custrel.exe 3 2->6         started        9 Xhbe43BCyu.exe 3 2->9         started        11 custrel.exe 2->11         started        process3 signatures4 48 Antivirus detection for dropped file 6->48 50 Multi AV Scanner detection for dropped file 6->50 52 May check the online IP address of the machine 6->52 54 Machine Learning detection for dropped file 6->54 13 custrel.exe 37 6->13         started        16 custrel.exe 6->16         started        56 Writes or reads registry keys via WMI 9->56 58 Injects a PE file into a foreign processes 9->58 18 Xhbe43BCyu.exe 2 39 9->18         started        21 custrel.exe 11->21         started        24 custrel.exe 11->24         started        26 custrel.exe 11->26         started        process5 dnsIp6 30 208.91.199.224, 49729, 49731, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->30 32 192.168.2.1 unknown unknown 13->32 34 us2.smtp.mailhostbox.com 208.91.199.225, 49714, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->34 36 showip.net 162.55.60.2, 49713, 49728, 49730 ACPCA United States 18->36 28 C:\Users\user\AppData\Roaming\...\custrel.exe, PE32 18->28 dropped 46 Tries to harvest and steal browser information (history, passwords, etc) 21->46 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-21 17:48:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjqmoeu57y4af7ad266vdge3fdwiay3kvhjcewfb7qu26ezsga2a._file
Verdict:
malicious
Similar samples:
084e6af7f798500eaf2e9f11ccce06d70cde7d1cd2b8c9c02846f58b5ccce973
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
8114a7dc930bc7b12b35b25d097b7136649c1633f9a0cb2792498aaab7a68936
DarkCloud
a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
d56fba09ff195114fdf8404435b83e2b9e49193e9e97afc3adef35610714462c
DarkCloud
dc1b427e14256c296f347c6d55f257dc9fc744a170a9b9a5a327a22690b71d33
DarkCloud
e85e26cd006afea56d7a13ffc41a0c177a21d8be7b132a4b4d8b71ed47bf2d0e
DarkCloud
ff4c6f9c1fcbf3f0281a74e174e9d9e0ed9946e22891622bb534397d85ee078f
DarkCloud
+ 508 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230824-b9tnmsae8x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
SH256 hash:
a8514a4c119f5ebe6462cd4d4bf802b86b88d9c8b9f76ea201ffa95723cad55a
MD5 hash:
0ea366bf0e684ab3a894847e2c32da09
SHA1 hash:
4d120a62179b1194e60b742f2475bcc334d2c72b
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
SH256 hash:
080c5c98c03a635e0e5277442990cadd36b401d90edadc74fe9e761998966485
MD5 hash:
70e13a3537bf8022542b5d0457d02d82
SHA1 hash:
b24da55f1863a1f2f623a66ff915e2d9260c1309
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
SH256 hash:
ce0dec5c3d781c7ed671a81988756e21c7563efec4d3710f62badab774e14724
MD5 hash:
4ef6d6fcfcdfd32d8d9368f5362a7ac0
SHA1 hash:
ab4085ceffa3397a16f1ad25cc01244029915ef3
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
SH256 hash:
9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034
MD5 hash:
4f500332f579994a734dea2262ca357c
SHA1 hash:
f41e739dfdd37e5e0f94396d9d1b91c24e7dc893
Link:
https://www.unpac.me/results/2d6b778b-ec68-4fcc-94ec-30f7149c6b99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2706564/
Cape
Cape
https://www.capesandbox.com/analysis/444377/

Comments


Avatar
zbet commented on 2023-08-24 01:50:07 UTC

url : hxxp://23.95.128.195/850/ifgxEM.exe