MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb
SHA3-384 hash: 4aa484e6df570c82e8c5c88969cf43eb0e6765f12fbfd4101b08ac2dec6cdfc93825dc2f2833efa5a9172a6e0c312bb5
SHA1 hash: 11c68a384fcd12b77ca221e0eec1dd2683056dba
MD5 hash: 884bd7c5f3fa58edd85ba3d268decbae
humanhash: bravo-green-vermont-south
File name:Ziraat Bankasi Swift Mesaji.pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'168'896 bytes
First seen:2023-01-09 14:21:56 UTC
Last seen:2023-01-10 02:18:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:IqqhCsJLFscvNVlu+99k4mrIl5tBfBFLgGZokXJVCQ6nP/A/mYx:NuLSclB35x5gG3azP4
Threatray 6'001 similar samples on MalwareBazaar
TLSH T13445DF9237F0E477F4CE133D49282BD82D6A6652B2B4F23B5F232E9151919FF7285248
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-09 14:23:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/306c1d97-7873-4582-9bc3-b02ba7d5b50b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351155/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.24635.31810.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/63bc230e0fdf1633326df5f2/reports/55ac0026-6ebd-405b-a8b4-63604fa66ed8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8671976-e22d-40d5-bdc1-2c8b7cb0f067
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148138
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780874 Sample: Ziraat Bankasi Swift Mesaji... Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 11 other signatures 2->54 7 Ziraat Bankasi Swift Mesaji.pdf.exe 7 2->7         started        11 ROJigQdngunSJ.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\...\ROJigQdngunSJ.exe, PE32 7->32 dropped 34 C:\...\ROJigQdngunSJ.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp9A40.tmp, XML 7->36 dropped 38 Ziraat Bankasi Swift Mesaji.pdf.exe.log, ASCII 7->38 dropped 58 Adds a directory exclusion to Windows Defender 7->58 13 Ziraat Bankasi Swift Mesaji.pdf.exe 7 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 64 Writes or reads registry keys via WMI 11->64 21 ROJigQdngunSJ.exe 4 11->21         started        24 schtasks.exe 1 11->24         started        signatures5 process6 dnsIp7 42 pinartur.com.tr 46.31.79.76, 49695, 49696, 49697 HOSTLABTR Turkey 13->42 44 mail.pinartur.com.tr 13->44 40 C:\Users\Public\vbsqlite3.dll, PE32 13->40 dropped 26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        46 mail.pinartur.com.tr 21->46 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 11:25:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=to2d4gigqx4gsn7aszz54msdzpqzohwpb2vzw5patug6s3uxmtfq._file
Verdict:
malicious
Similar samples:
26fd5960f4df473e74ae181061882322a19eab1b37f4ebc846d8634f538d43e9
DarkCloud
2e45a9113007ef46e148979f14d5723b5af959b54503dd26c09895320d990eeb
DarkCloud
37b0b6c8e886ba54facc53bea8f5d11ea52bb2ad186ef496bac773ba989b9e89
DarkCloud
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
DarkCloud
72583f44847a7163594df6713b246140478f41f50448f9d8585ebfde2d4b3ca0
DarkCloud
b37d144969e6b5af86a1009c619bb11141022698bb6eea663e799fb740fd7851
DarkCloud
cb7ffda616dbfb59cec05339b9bee2e7ecae48595545ee4e63d93e9751feb594
DarkCloud
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
DarkCloud
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
DarkCloud
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
DarkCloud
+ 5'991 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230109-rpks1aee33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44146241-25f1-4a1e-8508-107ac57ebf22
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
c8e084c6e8d4748dc77d98b674055acd83f000509beaf199784c2f17f5cf750c
MD5 hash:
45ce4144f3744cda984b1b67766e1f91
SHA1 hash:
63d46e7283fff70155ba191ae679f771e0d8d52d
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
dd9d3d55221d5894053a25b4e92c92b03f78b5d0e8399263a3be460fb39ed6c4
MD5 hash:
d83b6035b284fa3e662e2312ef8a7c47
SHA1 hash:
a76d0b2795cca09b7dc01dd55839a3b11126c449
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
5b90e499b26ecf84d6c05870d5b1e1d264db0a62f7c077ad190e2a7e91d43bce
MD5 hash:
51557db486ea3a77da346c89dd032cc7
SHA1 hash:
3a841305d7b23732a07fc32f4f7ee845352f4400
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
SH256 hash:
9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb
MD5 hash:
884bd7c5f3fa58edd85ba3d268decbae
SHA1 hash:
11c68a384fcd12b77ca221e0eec1dd2683056dba
Link:
https://www.unpac.me/results/e745ae56-6625-4632-8c76-836dc6666a54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/351155/

Comments