MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
SHA3-384 hash: 171fd4c27569b3a70efd3d613a99d4df970627710346c67584578cae3aee7e8718cb77033dbe80c44742b8da6132deb4
SHA1 hash: 9a492b5c0158f2f8c38073f20bb2fb041150edaf
MD5 hash: fe340cbe70c6d4a380e2ac9f6698e5ab
humanhash: blue-dakota-kentucky-hotel
File name:E-dekont.pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:823'296 bytes
First seen:2025-09-27 13:19:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Yilv8nVvFPG8o5zPlx6lQAmbIC0Eo2PYM:qVvZEiqAmErEhPY
TLSH T11D051249237DEF06D0E61BF80970D3741775AE88A825E30B0EFBADDF7869B456940283
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DarkCloud exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E-dekont.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-09-27 13:20:45 UTC
Tags:
stealer evasion telegram darkcloud ims-api generic
Link:
https://app.any.run/tasks/5fd2d9fe-3967-4e72-a6d9-4c4650474a5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29275/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d7e46891dd51f6514f2738
Tags:
underscore spawn shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego telegram vbc vbnet
Link:
https://www.filescan.io/uploads/68d7e47c674d5fd6aa0e63d0/reports/63ebe4dd-1c72-41aa-ac40-d883166fb8b7/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-26T05:12:00Z UTC
Last seen:
2025-09-26T05:12:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Taskun.sb PDM:Trojan.Win32.Generic PDM:Trojan.Win32.Badex.d Trojan-PSW.Win32.Stelega.sb HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90c479d0-ec54-4e3f-b17f-c4b59c1621e2
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785204
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785204 Sample: E-dekont.pdf.exe Startdate: 27/09/2025 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 38 showip.net 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 12 other signatures 2->54 9 E-dekont.pdf.exe 4 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 dnsIp5 30 C:\Users\user\...-dekont.pdf.exe.log, ASCII 9->30 dropped 56 Adds a directory exclusion to Windows Defender 9->56 58 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 9->58 16 E-dekont.pdf.exe 58 9->16         started        20 powershell.exe 23 9->20         started        40 127.0.0.1 unknown unknown 13->40 file6 signatures7 process8 dnsIp9 32 api.telegram.org 149.154.167.220, 443, 49685 TELEGRAMRU United Kingdom 16->32 34 showip.net 162.55.60.2, 49681, 80 ACPCA United States 16->34 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 22 taskkill.exe 1 16->22         started        44 Loading BitLocker PowerShell Module 20->44 24 WmiPrvSE.exe 20->24         started        26 conhost.exe 20->26         started        signatures10 process11 process12 28 conhost.exe 22->28         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.51 Win 32 Exe x86
Link:
https://app.malva.re/file/fe340cbe70c6d4a380e2ac9f6698e5ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a/
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 11:09:19 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swvfd4rs53s33pq6pyd3t6use6o5sxobc2glda6xdm344pcwdina._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
error
DarkCloud
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/250927-qkzkxscr6t/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8459604418:AAEe5BJzgytThRakO5ZkWuEuVE2XzWiw0Ow/sendMessage?chat_id=8064644982
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9cf232b-4265-487d-a887-eadec9d2b379
Unpacked files
SH256 hash:
95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
MD5 hash:
fe340cbe70c6d4a380e2ac9f6698e5ab
SHA1 hash:
9a492b5c0158f2f8c38073f20bb2fb041150edaf
Link:
https://www.unpac.me/results/8202350c-eb36-4302-a1fa-ce72ba44b58a/
SH256 hash:
ba62e7e89557bb426f1813b06a062db822e8d0141e93936d132b58fd4382af44
MD5 hash:
9c25fef6456290916a73792f1e2f8e54
SHA1 hash:
3bc346d1f860801cf5aaed37014a2efca9170791
Link:
https://www.unpac.me/results/8202350c-eb36-4302-a1fa-ce72ba44b58a/
SH256 hash:
dbdccd99b92299669a805b02df7092daf2ee435af1d447332312c2f358bb4e81
MD5 hash:
dab0b33660845fff2fb2a6ee3cb3bfcb
SHA1 hash:
798953fd8a2f491a7cc02ceecd257a95629aa675
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/8202350c-eb36-4302-a1fa-ce72ba44b58a/
Parent samples :
0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2
95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537
SH256 hash:
1aef9bb14e0d89f520183fe9efd2380655139f17b4adbc7d58e18a6b2a8232df
MD5 hash:
b36b6756c22421a2db5d0aefb7218f55
SHA1 hash:
e42f8e3104f04376a2f927e85daf2f8d1a571c73
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8202350c-eb36-4302-a1fa-ce72ba44b58a/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95aa51f232ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29275/

Comments