MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b
SHA3-384 hash: 3ee6679bb521e3543156e9e98add13c5761923f376ad87a8813e7b727bd8859dacf2bbb04b8bab41d66a4ed5a073823c
SHA1 hash: 287461937b5c10dffe4571edf39506d32a43a86d
MD5 hash: cb6efa797319725cfb1424ba7a03bc6c
humanhash: west-oregon-one-cup
File name:RFQ0765456789.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:499'707 bytes
First seen:2023-11-01 06:25:30 UTC
Last seen:2023-11-01 08:16:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 12288:wYQ5PScfIVMzYMewERaNnufieBuUPTzUb:wYQ56ZVSVxoalufiRb
Threatray 33 similar samples on MalwareBazaar
TLSH T1CCB4121979A2D50FC5E035F92D75612A2B70BCA01320C1576BF1BF69FA72213EC8936E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457494/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
control guloader installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6541ef8134de31f579cf526d/reports/5ed25851-3f4c-4461-bd6b-4074e1509e71/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a1dc1cd-580a-4574-8154-85ff5a6c4cc8
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335226
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335226 Sample: RFQ0765456789.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 31 showip.net 2->31 45 Antivirus / Scanner detection for submitted sample 2->45 47 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 RFQ0765456789.exe 18 2->8         started        11 aavf.exe 2->11         started        14 aavf.exe 2->14         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\ijjyjk.exe, PE32 8->29 dropped 16 ijjyjk.exe 1 2 8->16         started        53 Antivirus detection for dropped file 11->53 55 Multi AV Scanner detection for dropped file 11->55 57 Detected unpacking (changes PE section rights) 11->57 61 3 other signatures 11->61 20 aavf.exe 15 11->20         started        59 Maps a DLL or memory area into another process 14->59 22 aavf.exe 15 14->22         started        signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\...\aavf.exe, PE32 16->27 dropped 35 Antivirus detection for dropped file 16->35 37 Multi AV Scanner detection for dropped file 16->37 39 Detected unpacking (changes PE section rights) 16->39 43 4 other signatures 16->43 24 ijjyjk.exe 16 16->24         started        41 Tries to harvest and steal browser information (history, passwords, etc) 22->41 signatures9 process10 dnsIp11 33 showip.net 162.55.60.2, 49708, 49712, 49713 ACPCA United States 24->33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 11:04:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 37 (67.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttvc7hbx7yu5pxfiblofpqwllnzbux5qy2ara5fbhwtdjz5yoqfq._file
Verdict:
malicious
Similar samples:
032d41e43c7f83d6d88dc9e1c63e7fb7f2af670433336e5c892effffd49dd328
DarkCloud
3aab0958e9a00bd95bede733c42f2adf2c0e1e9a121e39f52680cb359f5af02b
DarkCloud
4a63fd45dcc97cf19892173f6101ff932109f8e3c382db28ea077c63a65f203d
DarkCloud
6aefd54fa38a79c06e9e652ed657de89171ff12c5db2a1b896e0813d3f53bb6a
DarkCloud
703f6ba3c612e1c35bc33fdc2201f9bccc1f8a146ce8b1008b47f581e89a77a0
DarkCloud
8e06e30fe6a9c4f64a09da567c0a6d2f01b49622f535122736d1dd7177b7f9be
DarkCloud
ca9c5b008a075bbdb57a89b0aef111458f5f9c8ee21f279a06abc481d35ba324
DarkCloud
d5dd0ef5889a2914827bce9e094f7736994149ae7c1fd6c8e0d63d6525aa8c17
DarkCloud
+ 23 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/231101-g67c8abe7z/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/0864ab2d-f1f3-4a6e-bdf8-7a1b2d19210c/
SH256 hash:
e893d6abf6e40a202cb5d73c56bfa3d529ac131a6aa8b58ed34c2a542ebe3199
MD5 hash:
62622a164537ce14d728d66657f2956e
SHA1 hash:
9313402d35281d6c15f5dd1f4a318046aff5b3fd
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/0864ab2d-f1f3-4a6e-bdf8-7a1b2d19210c/
SH256 hash:
eb183308169d89a0fd62ca6f1c8f1f61a75f70272496484b65898cb80733cb35
MD5 hash:
8e9f436caf3782d5e208349f848ee1d2
SHA1 hash:
2b41e310dc7bcf29daddc7d27049cc5a33757ed1
Link:
https://www.unpac.me/results/0864ab2d-f1f3-4a6e-bdf8-7a1b2d19210c/
SH256 hash:
9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b
MD5 hash:
cb6efa797319725cfb1424ba7a03bc6c
SHA1 hash:
287461937b5c10dffe4571edf39506d32a43a86d
Link:
https://www.unpac.me/results/0864ab2d-f1f3-4a6e-bdf8-7a1b2d19210c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457494/

Comments