MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a
SHA3-384 hash: da10e691fa20b976889bad3ab3d726a5dbc16f32b7a50606c3231edea5cde80b9583db072eec81108b62ab725efce960
SHA1 hash: bc6a2cfb90391c9a8fb504c4df1d32ec1cb0f8b9
MD5 hash: 6d2abeb53a663b7b7c684954f113492a
humanhash: high-nebraska-winner-march
File name:PO#1135 - 裕偉.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:911'360 bytes
First seen:2023-01-18 10:35:29 UTC
Last seen:2023-01-19 16:17:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5pNlnu0bDv4PdZY7QiDXXYvG31XdzEaeyLjKyBHdmGcNoexY/eTla:Nl374w0iDnYWdEZyBHncNNx8eTl
Threatray 6'034 similar samples on MalwareBazaar
TLSH T12D159C41567B86E3C4B909B01438E47826A15CD2866CB13ABDC77DBBBCFA74F00A9753
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter 0xToxin
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
234
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#1135 - 裕偉.exe
Verdict:
No threats detected
Analysis date:
2023-01-18 08:04:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4007c0e0-37cc-46ea-b974-fc975e848f3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354118/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9524.21314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c7cb98e40648ad3ece4c9c/reports/362e78a4-6fe8-492f-8f6d-e2a156d904b6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23f356d3-cfde-4aee-ac53-f86a6c393fd5
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153775
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 02:33:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6tmeyemdzwdbyeo66b3ieehvyez2om6bq662gnbcgdy4exeszna._file
Verdict:
malicious
Similar samples:
0113aeb6aaebe1d0bf883dd7722ac71903050fdbfb17c4f9a59aa60454c869a8
DarkCloud
0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf
DarkCloud
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
DarkCloud
2cb40ab75643b224448586afb5e342971d2a5f42c07a21138a63ef7b76a3a6e7
DarkCloud
384f8a72e54ef9ae93b8aaef4915a6bda260a8abda00c57bb38f2766509cdc48
DarkCloud
3c703c79f804220c6210cef1c0e98cd7cdce8848e84483b5d371e05f5edf02a5
DarkCloud
40bb1d2fd1174f9047e958b334f30d31947f8932593bd9ed57b43ecc0603db93
DarkCloud
61e24fa304b102fc323770b791f3d9bae4b3740a802e3ae3624824effc432e20
DarkCloud
c1b8faa891f21358fbbe8b002c0324aa0f2f9358df374b6e40e9676bc54c55d2
DarkCloud
ec4aa8a64d9d8e0591d04f1bbe057fd665df8d9c083bd4070f4326862b1753d6
DarkCloud
+ 6'024 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230118-mm9xwsfa66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
ebc38f94aff75cd7e1db0422d9871d30498091b408ace976a9f399acdffc282d
MD5 hash:
3f111c4013351f9350f3f75c177ddabd
SHA1 hash:
fa34899ea515250d354420f56b8991564d391c2a
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
3a1108ba9eb7617758c85b4795254d0b012a05d4acb5462d39363dc9f77e5eb5
MD5 hash:
8e5d2da72113328b9dbc4fd1b1ac94b6
SHA1 hash:
af5d6eb888a1646618f9b2d31f4a9dad6bdecd94
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
2061222cbeb704509ed0532bac0bbfa4771ea852a4ef511157c5a272fa2dc1a6
MD5 hash:
b4d8fa4542af748e8707077a06f5b153
SHA1 hash:
8c7e56aa2e2b1aa4e317c93a7aba706aded7c144
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
f885a40d63e46e455a4e8afeca78f8a4bb284b3dd9b6403e64c3ea53b142059c
MD5 hash:
d85213d4834ecb6724c1efd5fe73fbeb
SHA1 hash:
0ad545faeade168157d663789fece184a9294a9b
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
SH256 hash:
97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a
MD5 hash:
6d2abeb53a663b7b7c684954f113492a
SHA1 hash:
bc6a2cfb90391c9a8fb504c4df1d32ec1cb0f8b9
Link:
https://www.unpac.me/results/a9cc5482-6ed5-41ae-aab5-0786c6a62815/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354118/

Comments