MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
SHA3-384 hash: 5f11c73e37c7be8f5c9a15d42869889d2e110a95345c65f47d2b3fd9b16051fd2ad0c1284fec5d01b8e5e3fcc6c80a81
SHA1 hash: 54110a48d79b169f4c6b6e84ccecb885c3121e47
MD5 hash: 3d02df482ba2297ede23e6afd7135143
humanhash: washington-island-echo-solar
File name:LIST OF ORDER.pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:452'127 bytes
First seen:2023-05-23 15:25:22 UTC
Last seen:2023-05-23 15:49:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:vYuzkMoGZX9XrsgPMMtASzKwCrWllYLRMlSR23h:vYuzkMousUtP2rWgCAgh
Threatray 8 similar samples on MalwareBazaar
TLSH T15CA423006F54C8C3F1D645352E7622A72AC6F5660760CB0F2B55EE68BB61F1ECA0F3A5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter threatcat_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
278
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LIST OF ORDER.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-23 15:26:51 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/50591101-8198-43e1-bbb6-0e19f4c51cd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67162787.17543.16395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87599/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/646cdb0b63d8dda9d0ac6ce6/reports/1895ca0b-cece-4412-9bec-1f5b9b6ea793/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67736b80-0456-46bd-b9d7-6bf5228ed35c
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240997
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874005 Sample: LIST_OF_ORDER.pdf.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 7 other signatures 2->38 6 xhqmvfbjfoxtmi.exe 19 2->6         started        10 LIST_OF_ORDER.pdf.exe 1 21 2->10         started        process3 file4 18 C:\Users\user\AppData\Local\...\pdnxais.dll, PE32 6->18 dropped 40 Antivirus detection for dropped file 6->40 42 Multi AV Scanner detection for dropped file 6->42 44 May check the online IP address of the machine 6->44 52 2 other signatures 6->52 12 xhqmvfbjfoxtmi.exe 44 6->12         started        20 C:\Users\user\AppData\...\xhqmvfbjfoxtmi.exe, PE32 10->20 dropped 22 C:\Users\user\AppData\Local\...\pdnxais.dll, PE32 10->22 dropped 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->46 48 Maps a DLL or memory area into another process 10->48 50 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->50 16 LIST_OF_ORDER.pdf.exe 1 45 10->16         started        signatures5 process6 dnsIp7 24 mail.hoteldomnuno.com 12->24 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 26 hoteldomnuno.com 78.46.82.112, 465, 49703, 49706 HETZNER-ASDE Germany 16->26 28 mail.hoteldomnuno.com 16->28 30 4 other IPs or domains 16->30 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 00:49:05 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ty2e7c3gmvhnec7tnt6vylqnoeele2r65k2wn3rgdnskjfo5zczq._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
DarkCloud
2cb40ab75643b224448586afb5e342971d2a5f42c07a21138a63ef7b76a3a6e7
DarkCloud
3c703c79f804220c6210cef1c0e98cd7cdce8848e84483b5d371e05f5edf02a5
DarkCloud
90993a3235dc0c8677796ee6e9493b38bf5d1262a80905cb5aab896b28c714f9
DarkCloud
93d81535630f75f9600b9a307dc2cd197f9f49361056cba8aa15cd5a4691831d
DarkCloud
b03225ede8b6ce37f12a6999260e06d0274ced375ac52294cae061a50dc61527
DarkCloud
cc012015571f75771700164d8e5fe60c7ea9a2f351a698ebce99ef8a2a5f071c
DarkCloud
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230523-st6rpsgg5v/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/31d099b3-837a-4e22-8605-2c5484035800/
SH256 hash:
39fa0c7fdf1f81815dea72d0fa313e33d4fd990c73b2ac96044711fbd48c0dba
MD5 hash:
92da93cc04a03d37aecdb289989bde54
SHA1 hash:
ddc5a183d12a295a4bd4f250061b3df454d50d91
Link:
https://www.unpac.me/results/31d099b3-837a-4e22-8605-2c5484035800/
SH256 hash:
a8310c674be71fdb424a58604641f524e71997620f70a7016b7471632a4c70fc
MD5 hash:
aa8dc22810ce5c81b6545d6dacb0039f
SHA1 hash:
dca820eefa6ced888c5af69876229f0d2dac755a
Link:
https://www.unpac.me/results/31d099b3-837a-4e22-8605-2c5484035800/
SH256 hash:
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
MD5 hash:
3d02df482ba2297ede23e6afd7135143
SHA1 hash:
54110a48d79b169f4c6b6e84ccecb885c3121e47
Link:
https://www.unpac.me/results/31d099b3-837a-4e22-8605-2c5484035800/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments