MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 931eb4b8d93d6629068c4213b5a9b1a188b7365fa887c55d3a9161898cb52462. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
DarkCloud
Vendor detections: 9
| SHA256 hash: | 931eb4b8d93d6629068c4213b5a9b1a188b7365fa887c55d3a9161898cb52462 |
|---|---|
| SHA3-384 hash: | 3b898205e29dd7b61ea343f9d42eba586a0aabc7b5de62577a73b76927d7319b51a1a610062eb3b1e1026656c9beb99b |
| SHA1 hash: | 3a81164f7dedc985a78b27dc7b6b63b4af7e482c |
| MD5 hash: | 047cfd04e6c2c009e592f54fdb297a7a |
| humanhash: | colorado-sweet-triple-eighteen |
| File name: | ΓΚΟΤΣΗΣ-ΚΩΝ-ΝΟΣ 139037541.exe |
| Download: | download sample |
| Signature | DarkCloud |
| File size: | 1'136'640 bytes |
| First seen: | 2023-01-10 13:37:39 UTC |
| Last seen: | 2023-01-16 07:49:31 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 24576:Y3dKlINFRo1anEWiLCEegGs5nyyxDqEZV/NWC5gh/Wgfz:YQSy1aEzGs5nyCDqEZVkh/Wgf |
| Threatray | 6'362 similar samples on MalwareBazaar |
| TLSH | T14135123916E57A58F83DA3BF9110D6A403B4EE31878AC55C0DEB76CBCBFD6295216203 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  adrian__luca |
| Tags: | DarkCloud exe |
Intelligence
File Origin
# of uploads :
3
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ΓΚΟΤΣΗΣ-ΚΩΝ-ΝΟΣ 139037541.exe
Verdict:
No threats detected
Analysis date:
2023-01-10 13:40:18 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
No Threat
Threat level:
2/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
DarkCloud
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Leonem
Status:
Malicious
First seen:
2023-01-10 13:38:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 39 (58.97%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 6'352 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
SH256 hash:
18d400bc7f8a6fd98681aefb7584668ec756ee62135c77975a93410a5fdd9967
MD5 hash:
22a97fedbb434f21d8de47139a799572
SHA1 hash:
a28b7ac3eb92f31ca383ff5854aae4714af6fbca
SH256 hash:
45edd13f5cc425652de63d3be2128c02b7b21bb534277d06672731ed0ab145bd
MD5 hash:
20c9a86d019feb9a754b110d44eacb3a
SHA1 hash:
fb52d802ca7f96e68ca770e98ab91eb09ae73ae5
SH256 hash:
a1015505e7d49d52bb85d29f676924750b12b3306bdcf152a016721bb91ebe41
MD5 hash:
69e96db5489b241bc9955d713d839217
SHA1 hash:
d5269b8316151bdf905706aad5541ed8eb35f342
SH256 hash:
c47e2d12442ecc8e285ac50096896d2f5c5e7eb0d6be54c211011e8c440e2c83
MD5 hash:
134c8597c51c3ceb44400bc003c60fa2
SHA1 hash:
7ca835dd55c7a84175c03c86d2892719e3d05092
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
SH256 hash:
931eb4b8d93d6629068c4213b5a9b1a188b7365fa887c55d3a9161898cb52462
MD5 hash:
047cfd04e6c2c009e592f54fdb297a7a
SHA1 hash:
3a81164f7dedc985a78b27dc7b6b63b4af7e482c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.