MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c
SHA3-384 hash: cd14bb494458030e465a1b03ad9fec7a1f746c81419da02556d56deb073d715571b1b4af364c1441a28e3efe05e3e5b2
SHA1 hash: 06f03cb2ee12e8aa8150243df6935f8c2d07e7f6
MD5 hash: 6ee86a3b2c27e64fad95b359e35b3e61
humanhash: neptune-steak-mango-alaska
File name:SecuriteInfo.com.Trojan.PackedNET.2370.17852.3724
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'491'968 bytes
First seen:2023-10-13 10:37:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:LF4zz9LOgRTI+l/99PX/9J0756o4O+5QxhPq1W/ogLnD9z1iKE32mahaCzV:RovTI+l/VJm/5xhi1tGdQN32mahaC
Threatray 229 similar samples on MalwareBazaar
TLSH T17765872C0CF80912C161E17EDFD4EA27B2808CD6664C9D9687C58F5A6A1793BF09BD3D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.2370.17852.3724
Verdict:
Malicious activity
Analysis date:
2023-10-13 10:39:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a719bb0-8b57-457b-8dfe-2cb168d1e32e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454098/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.2370.17852.3724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/65291e0ba29a700213a161ff/reports/e3bd2d38-f508-4bfc-9025-16c9999eeb73/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c126aff1-3b18-4ad1-87ac-3842c97d36c9
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325216
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1325216 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 13/10/2023 Architecture: WINDOWS Score: 100 57 showip.net 2->57 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 71 8 other signatures 2->71 8 SecuriteInfo.com.Trojan.PackedNET.2370.17852.3724.exe 7 2->8         started        12 OlNfRscfOzqhwU.exe 5 2->12         started        14 fireling.exe 2->14         started        16 fireling.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\OlNfRscfOzqhwU.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp1D03.tmp, XML 8->53 dropped 73 Found many strings related to Crypto-Wallets (likely being stolen) 8->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 8->75 77 Adds a directory exclusion to Windows Defender 8->77 18 SecuriteInfo.com.Trojan.PackedNET.2370.17852.3724.exe 43 8->18         started        21 powershell.exe 22 8->21         started        23 powershell.exe 22 8->23         started        35 3 other processes 8->35 79 Antivirus detection for dropped file 12->79 81 Multi AV Scanner detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 25 OlNfRscfOzqhwU.exe 12->25         started        29 schtasks.exe 12->29         started        85 Writes or reads registry keys via WMI 14->85 87 Injects a PE file into a foreign processes 14->87 37 2 other processes 14->37 31 fireling.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 61 Found many strings related to Crypto-Wallets (likely being stolen) 18->61 39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        59 showip.net 162.55.60.2, 49744, 49746, 49747 ACPCA United States 25->59 55 C:\Users\user\AppData\...\fireling.exe, PE32 25->55 dropped 43 conhost.exe 29->43         started        63 Tries to harvest and steal browser information (history, passwords, etc) 31->63 45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 08:53:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujtoiu2xfhmuylbyty6xaxczcywptszbxrgvehw4mhzk77xt4iga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21590f5c7b6ac30d1c7dd02ac222e9803694a2d3b8036875e23ba10943c331d2
DarkCloud
2e68f9ba9b0eea70dc6a43c56ba183728769293feb53d1ed73f1b41097213587
DarkCloud
47828de9e3c3b3bf2955c6cd2a72f2d75cb54c91756eee1b56a42bd1bf09f7f2
DarkCloud
4a97e9c01e3c23d0a338f2dc4b6c84163fea5626311e996a494283a51292a3a4
DarkCloud
541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a
DarkCloud
8a0caf3a314acdd946e058b936136c755e7701c1384b1f632075c0bc8d958bcf
DarkCloud
9a00523dfd6d321adb4fffbb54a1550055dde6301dddba3a5157a4169b11d462
DarkCloud
ae8131e8c5b55b77c69a8962dcf41b811b0411f1b4c1d9e702d446e639648e97
DarkCloud
c1cb5a4a27cf88c43845d65d73c7ca0706b00f8c999301061b745ce922c1bd12
DarkCloud
e8d0cc3c7ea34571768f840ae00c2f81f08ce08a1cf237c2374f47bd3f0da646
DarkCloud
+ 219 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/231013-mpdmgaad76/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
SH256 hash:
f3c4991772768c57889d3b81444edc0626064ccf7f548fa468f48a0d60a825a0
MD5 hash:
4bb3ca0837678636109ca8f9087ab201
SHA1 hash:
19ea03231278a51ecd7aa1da278490d3f04ee6d6
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
SH256 hash:
a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29
MD5 hash:
a5a52675690de850e3de6c05a9bd885f
SHA1 hash:
fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
SH256 hash:
957ca1d458cfafbcd80a319034a5dfaa5cb58e7df1ace0b03c8cc6778a19c3af
MD5 hash:
bf799004de9c5d3de0f00a0a7442ccf4
SHA1 hash:
7170a4f1b999ba6e305033ee1bf5f2594cb6a18b
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
SH256 hash:
a266e4535729d94c2c389e3d705c59162cf9cb21bc4d521edc61f2affef3e20c
MD5 hash:
6ee86a3b2c27e64fad95b359e35b3e61
SHA1 hash:
06f03cb2ee12e8aa8150243df6935f8c2d07e7f6
Link:
https://www.unpac.me/results/86b06257-a714-47c6-b4f8-32f5c692f4ed/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454098/

Comments