MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
SHA3-384 hash: d97e77b03790c1d440ae0b8c551c23316341e143eb29a925311bbc68c03a22052d2c24a0783b4456d207bfca535e6351
SHA1 hash: 3da2dae00338c3312778df4c35ace6121d62eade
MD5 hash: 1d35f5b9450b5481ae0e303da85b3cca
humanhash: comet-river-enemy-red
File name:HESAP____________________________________________________________________________________________ BEYANI.___PDF.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:964'608 bytes
First seen:2024-01-19 16:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:VmPgjjN179c11+Sb0L2HFZriiuEkwPQd2B04s/:35rI1+SALUXeif7PQdx4s/
Threatray 353 similar samples on MalwareBazaar
TLSH T17C251291F12C6B9AD82A93FD9C10602017FABBAB506DE7861EF331CB1471BC36146D5B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471731/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65aaa5732593e1cd0baa59a8/reports/005de2e4-1bc9-4d34-85d9-1510bbb759d6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/736dfa6a-410b-49d7-bb69-eefee3af14ad
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377610
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377610 Sample: I.___PDF.exe Startdate: 19/01/2024 Architecture: WINDOWS Score: 100 33 showip.net 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected DarkCloud 2->39 41 6 other signatures 2->41 8 I.___PDF.exe 3 2->8         started        11 semicircular.exe 2 2->11         started        signatures3 process4 signatures5 43 Writes or reads registry keys via WMI 8->43 45 Injects a PE file into a foreign processes 8->45 13 semicircular.exe 3 8->13         started        16 I.___PDF.exe 1 43 8->16         started        20 I.___PDF.exe 8->20         started        24 2 other processes 8->24 22 semicircular.exe 22 11->22         started        process6 dnsIp7 49 Multi AV Scanner detection for dropped file 13->49 51 Machine Learning detection for dropped file 13->51 53 Writes or reads registry keys via WMI 13->53 55 Injects a PE file into a foreign processes 13->55 26 semicircular.exe 27 13->26         started        31 showip.net 162.55.60.2, 49710, 49711, 49714 ACPCA United States 16->31 29 C:\Users\user\AppData\...\semicircular.exe, PE32 16->29 dropped 57 Found many strings related to Crypto-Wallets (likely being stolen) 16->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 file8 signatures9 process10 signatures11 47 Found many strings related to Crypto-Wallets (likely being stolen) 26->47
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 09:20:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvzm4k4wemdzhqa2iyull6fk5jvq24bbycagwi6plqtupxm2emxq._file
Verdict:
malicious
Similar samples:
3086aab6085c707f06ba83f20a0cd8ebe4d1c59af1f9d76039e34c1f5c07459a
DarkCloud
46165206f430648e60c96434490576705decd79d2641b99110e277c7c2dad1d5
DarkCloud
78b984255563f6e9fd26b210764ed39935bc6bb73258e417b2cd88f5b2c53399
DarkCloud
8838c8ec2ad1e7f3d9b4efcd3c0c2134507988c60915b2a2a6bf10eac2fb3cde
DarkCloud
9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
DarkCloud
d56fba09ff195114fdf8404435b83e2b9e49193e9e97afc3adef35610714462c
DarkCloud
d99f72c298895809260b08284f4b62ed07680b3aef96b6ebf0155e0690bc0835
DarkCloud
f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
DarkCloud
+ 343 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240119-t5dqqsaea3/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
0372b57234805f137eb8c2343206a5af3e1f3895bdff326d49f7c732e1965b50
MD5 hash:
8d4ead5a7d1a732c95f8c9a9de47964c
SHA1 hash:
bdd872be139d282997b6b61f7592092a63e82227
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
SH256 hash:
2b4cf8b51c4caac8a17c239ce12f5722630e9358060986625b0eed5dd9e01017
MD5 hash:
81c9b6f9ce6e6cc93bf89a1218f12e86
SHA1 hash:
1e2b99b28fc38272b81bc336a66c2960259668b6
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
SH256 hash:
aad5bfbb1ddc1e1e61a9bd8fd81dc629e775a16f1c9fe0458ffa89124af8d80e
MD5 hash:
c525fbe0ee1fc8d400dde70848e60325
SHA1 hash:
14a6e8f6e96541e3bf998dbcf86fc54b224d617b
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
SH256 hash:
42f913d7f418d48d8a9f731df5aaa17dd999acceb18008bc6feec818c5102740
MD5 hash:
9de616c5c04595c7d3594dc6d35d29a6
SHA1 hash:
affdd23a0d6f48a417c4466440f82825b8ed220e
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
SH256 hash:
3bb37a73b4d73aa059df6a5dec3a76264ea41239eeddead0ca1fe821e6114f94
MD5 hash:
e2c986334fa25f027f9a858c1acb7935
SHA1 hash:
79f38ccb89f66385d480fd1ee5719c4e86137b3f
Detections:
darkcloudstealer
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
SH256 hash:
9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f
MD5 hash:
1d35f5b9450b5481ae0e303da85b3cca
SHA1 hash:
3da2dae00338c3312778df4c35ace6121d62eade
Link:
https://www.unpac.me/results/6d8dbf24-4932-4ad3-963a-8507cf668653/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 9d72ce2b96230793c01a4628b5f8aaea6b0d7021c0806b23cf5c2747dd9a232f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/471731/

Comments