MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1
SHA3-384 hash: 6dfd37a9e79c1aa44a6e577c5f4e2672b5a0d0aa5ed6e12e8407febcd9d77bf6d55c812a8d635ec3ac08357619953aaa
SHA1 hash: db6adf41b5cff216cc9ba9482e51200e5ae02c5f
MD5 hash: eddba74397db1acfa68e3c531c28a5ff
humanhash: social-six-uniform-hydrogen
File name:通知文件 HZ330A 012334R68。.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:854'016 bytes
First seen:2023-08-03 07:12:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:nI2iN8JJBFovPlCJ4qRk5Nj4FWyppfPxyezZXHwusiKcxyAl3:nI1uJ+F047njq1zpQF8
Threatray 330 similar samples on MalwareBazaar
TLSH T12A0523B426F94B78DB75A3F26481004502FB81867230DA648EF35CED7E71B8157A8F6B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
通知文件 HZ330A 012334R68。.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-03 07:13:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d0ff98e-e012-4a28-888d-a28d472b4773

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440004/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/056e545c-78b6-425f-8cba-a2848511ed37
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1284900
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 16:11:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uffkz7onm7oaamu2vdkwht3o37sqfgvpapoic2z3o7cq33jeztqq._file
Verdict:
malicious
Similar samples:
09bf94af5ceabc708551e3bf599d3d94c8b3ced7606f2018c506cfc9b5a21710
DarkCloud
1aa319975a9d1142cd5737d4b41d1004223881bf4e3485770a75be645e54934e
DarkCloud
2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
DarkCloud
324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e
DarkCloud
367426620ba8ef291443c9bec1236ee3a3a36fdd8043d9f0052c83e989595716
DarkCloud
4ad51ee71da26867904c568a85bd257a3ebe2afdb5d1a4b6c7746c19b1743173
DarkCloud
4ff2e8cb6e81b9946d403ee59271618620e4e55164d9b591be3d648425505185
DarkCloud
e4bf2c0f2c23c761983ab4c03f287d5692a1446a3087bf043d7fefde261b8e6f
DarkCloud
ff4c6f9c1fcbf3f0281a74e174e9d9e0ed9946e22891622bb534397d85ee078f
DarkCloud
+ 320 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230803-h1392sbh65/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
SH256 hash:
2dd78efa9e1691b1b35a5cd7f5dcc41006ed0b7ff7b5a79c00eb76640452c0bd
MD5 hash:
1101c0ecb662df885c3be027e3faef30
SHA1 hash:
c215f27041d3e509d951385180dcced788c02aba
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
SH256 hash:
b5a5d063c8811a20dfc02b1b39f544d020343526e6c2574e20b3d0cadaddc1e5
MD5 hash:
311ac6cd401a7eae34bd34a3765b6285
SHA1 hash:
c881aed72b164622975eb255822222695e6fe5a8
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
SH256 hash:
1dcc2630a57a85ed362bccb7a130b957b1713acdd145f7399b6dd8c62955e8e0
MD5 hash:
8763642a17fce45aa4812017fa49cefa
SHA1 hash:
bcc969039730812b9d7501247b92f06a8779cf4a
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
SH256 hash:
a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1
MD5 hash:
eddba74397db1acfa68e3c531c28a5ff
SHA1 hash:
db6adf41b5cff216cc9ba9482e51200e5ae02c5f
Link:
https://www.unpac.me/results/4dd4d8f9-04ac-4249-b3bd-563a12cc247c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe a14aacfdcd67dc00329aa8d563cf6edfe5029aaf03dc816b3b77c50ded24cce1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440004/

Comments