MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5
SHA3-384 hash:	40dff27cd864828bd9a986486be6ed79fe728d3419cbe70809bc92983489950235690fd252f66bcd45e1e74790bcf230
SHA1 hash:	f58285db22aa78923c00ac32ff87aebbbab2ae3c
MD5 hash:	e6d331ebaccbde81eefe27ffbed9e58f
humanhash:	berlin-carbon-bulldog-nitrogen
File name:	98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	471'040 bytes
First seen:	2025-05-09 14:47:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ba3d7ffbd49efe7b52a4b982634a7131 (6 x DarkCloud)
ssdeep	12288:gjYKkJj6GmZUsDFR3Yioxm/Xvr4JQkAuYqDP:WYb6nZNFR3voI/XvXkPYqDP
Threatray	32 similar samples on MalwareBazaar
TLSH	T1DDA4283BB651202EF162C5B0DAA16156B8116D3A2649FC7BFBC19F493132483E9F532F
TrID	45.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 15.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 14.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	adrian__luca
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5

Verdict:

Malicious activity

Analysis date:

2025-05-10 02:33:51 UTC

Tags:

stealer auto-reg evasion darkcloud upx

Link:

https://app.any.run/tasks/7e1e64a7-a771-4b61-a0ce-0ce8d9f31424

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681e170e4a59e5a2ce03618c

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Stealing user critical data

Setting a single autorun event

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool overlay packed packed visual_basic

Link:

https://www.filescan.io/uploads/681e157f0b64e174c41fcf51/reports/6d39004d-340e-4e08-9e67-fce848c0f867/overview

Verdict:

Malicious

Labled as:

Trojan.Heur2.ZGY.Generic

Link:

https://www.hybrid-analysis.com/sample/98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9e2f64b-2764-4a78-8a10-c82dcbbe1329

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1685817

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5/

Threat name:

Win32.Infostealer.Generic

Status:

Suspicious

First seen:

2025-04-28 14:13:05 UTC

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tczpm4cm3hn7mnzku23pn5otyiqikcpmfutldylx2tg7yywtjp2q._file

Verdict:

malicious

Label(s):

darkcloudstealer

DarkCloud

75b2472b562f8ae20e5ebc2f6c32a8a3eb1883b25c920000db1597ada8961076

DarkCloud

8b6b45cea7dc2bb5c9784c55e84fb95122be7e1453eefb25f7222ed0224bef79

DarkCloud

b692daf75189a3b7f30130f064b20167c3c68151d25b12f78397262a17d19aef

DarkCloud

c920c6eca469fff5ec81c3e8c92f734190a20f944b63f9d9248a5764afce6aa1

DarkCloud

ddcb6ff5ce9cd75b9b7457b787b165000fab3bf4441509d5a1394983dd0bcbcc

DarkCloud

error

DarkCloud

+ 22 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence spyware stealer

Link:

https://tria.ge/reports/250509-r52rfsgj6v/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Adds Run key to start application

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

stealer darkcloud_stealer darkcloud

YARA:

Windows_Trojan_DarkCloud_9905abce

Link:

https://app.threat.zone/submission/0d7ba57d-1866-4f8a-b610-7eb4facb474a

Unpacked files

SH256 hash:

98b2f6704cd9dbf6372aa6b6f6f5d3c2208509ec2d26b1e177d4cdfc62d34bf5

MD5 hash:

e6d331ebaccbde81eefe27ffbed9e58f

SHA1 hash:

f58285db22aa78923c00ac32ff87aebbbab2ae3c

Link:

https://www.unpac.me/results/49abed05-e758-4c94-865d-96fe79468264/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/49abed05-e758-4c94-865d-96fe79468264/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/98b2f6704cd9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_DarkCloud_9905abce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaCopyBytes MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaExitProc MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaPrintFile

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample