MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
SHA3-384 hash: a4a3fb14370d23ceee3bdd32ed5d099f79a3938c31b7576ab354a9450c4aa3765f7452bebac0f080c0f40e193b0cf0d3
SHA1 hash: 1a7b482f8a43456515188bfa5da676285bd40f83
MD5 hash: bc43848fb7dadbbcf35d6c71245e349d
humanhash: ten-arkansas-jupiter-twenty
File name:REMITTANCE ADVICE - TT231407ZA9893989.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:445'237 bytes
First seen:2023-07-17 16:01:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6kCDm2IdQW1OFA0nn36ISxdv2L8uwgKrvBkdsbSjQ5q8HUM+ciX:/Y6CKVd9Ui6n36TgKrvBcCSj0HgciX
Threatray 32 similar samples on MalwareBazaar
TLSH T11F9423B516A2E1D3CBE24E3F6F2D08F75EA9950A145C431B1B106B98BE13CD2D68F321
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REMITTANCE ADVICE - TT231407ZA9893989.exe
Verdict:
Malicious activity
Analysis date:
2023-07-17 16:03:51 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/e53105a6-db38-4a68-b4c9-39dc8570c551

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/422712/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.25312.115.1084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b565fb7a9c6ddebf0b2232/reports/bf8c220c-4ec0-41ae-989f-58b1478ff76d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95915b68-33b5-4d25-9eae-0e3e0863af05
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274559
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274559 Sample: REMITTANCE_ADVICE_-_TT23140... Startdate: 17/07/2023 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 6 unabusiveness.exe 18 2->6         started        10 REMITTANCE_ADVICE_-_TT231407ZA9893989.exe 18 2->10         started        12 unabusiveness.exe 18 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\djovyzpe.dll, PE32 6->25 dropped 43 Multi AV Scanner detection for dropped file 6->43 45 Detected unpacking (changes PE section rights) 6->45 47 Detected unpacking (overwrites its own PE header) 6->47 55 2 other signatures 6->55 14 unabusiveness.exe 15 6->14         started        27 C:\Users\user\AppData\Local\...\djovyzpe.dll, PE32 10->27 dropped 49 May check the online IP address of the machine 10->49 51 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->51 53 Maps a DLL or memory area into another process 10->53 17 REMITTANCE_ADVICE_-_TT231407ZA9893989.exe 1 17 10->17         started        29 C:\Users\user\AppData\Local\...\djovyzpe.dll, PE32 12->29 dropped 20 unabusiveness.exe 15 12->20         started        signatures5 process6 dnsIp7 31 showip.net 162.55.60.2, 49698, 49699, 49700 ACPCA United States 17->31 23 C:\Users\user\AppData\...\unabusiveness.exe, PE32 17->23 dropped 41 Tries to harvest and steal browser information (history, passwords, etc) 20->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-07-16 23:21:02 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unc5bobcwlxsxl76rd6hbbfkolslzeceim342w7xxaukstn6qbpa._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
1f86f42e9b3f949288c425fb5e3a57a6977a0c529e129a84a9c1935e4a2a2482
DarkCloud
2150f0caeac604ff6b396c3cf863dab727dca9b3c996a7a2aa7e5ea78d0bdae3
DarkCloud
270da7c5b8484ac3f7a0e90036e8e88f951de2ba3a22a0cc56e2b5cd8b0cafe3
DarkCloud
36d0c8e58fabe82307b7b36444e075f5dccd1a57e7b73551d335f76645b11274
DarkCloud
37d9d25dc72449f4bbdf92bf70511684bd3819f8306f363eb1cfd6fd0e91e365
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
6923fdc205daf214ddfdcfc83f398da7646f48d4c3e432b7df373a2d2f5ba1ba
DarkCloud
89787eecba81c6d44901dcc74adc393548414b4e1c7f642f0fbe4a9ccfba039a
DarkCloud
+ 22 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230717-tgr88adh9y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/30f86f30-fe88-4a97-b9ab-ea738a1f0f76/
SH256 hash:
86a5eaa86f5a9534bce7f4b934013e45a0eababfda8cc06b462d79b169ed3539
MD5 hash:
c8b48761b883027a7f6d3abc4d317fb4
SHA1 hash:
4b9c7db7b20651c4e2ab8f93f2a0e29bc0f009c7
Link:
https://www.unpac.me/results/30f86f30-fe88-4a97-b9ab-ea738a1f0f76/
SH256 hash:
9def51a197c5e6fa7b42633d5fa792175c8f433953735e77921cb98d8d9bc24f
MD5 hash:
9bf1e601738b451ef1219afeec8cc156
SHA1 hash:
02da633fc8f0feb47574643cc5fa565791254f5f
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/30f86f30-fe88-4a97-b9ab-ea738a1f0f76/
Parent samples :
a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
c05fbef6ef68934b1381cf48a956981ea7e1bc4969ca97c8d9851c0309e4538f
11592500f755d82318d47eca784ea07ae649253a8655687d1c61f852f9e9eac9
4e0c4ff1b04d55403948acded8a2a584b869a984d1f846a18f52c6bd67631337
f37044c7d35e640b023f3cdc034ad89cdd077a2e8967a9e62f887296faa57a93
SH256 hash:
a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
MD5 hash:
bc43848fb7dadbbcf35d6c71245e349d
SHA1 hash:
1a7b482f8a43456515188bfa5da676285bd40f83
Link:
https://www.unpac.me/results/30f86f30-fe88-4a97-b9ab-ea738a1f0f76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/422712/

Comments