MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f
SHA3-384 hash: 3047b7d46b63fdc1279cf92c01b20557a503a2550d518d4da572875b7ae577ba2eed1208ffd8112d439367aec4783a6d
SHA1 hash: 98813c1d2e0548d808a4d46359e854ea0d533bc0
MD5 hash: 4c14d7b5ac4c07799e5db765a3965ad4
humanhash: romeo-william-mexico-fillet
File name:1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'309'184 bytes
First seen:2026-03-06 15:32:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1ce208b1192bfcf652c179f34f034d3 (36 x AgentTesla, 23 x Formbook, 8 x SnakeKeylogger)
ssdeep 24576:z5EmXFtKaL4/oFe5T9yyXYfP1MAXDzk6Ez/knbkdLv3zi4Bte:zPVt/LZeJbInGizkZ/gW37B
Threatray 1'483 similar samples on MalwareBazaar
TLSH T12E55CF0273C1C062FFABA5734B56F6115BBC79260123A62F13981DBABD701B1563E7A3
TrID 54.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
13.4% (.EXE) Win64 Executable (generic) (6522/11/2)
10.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.2% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:DarkCloud exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07
File size (compressed) :802'816 bytes
File size (de-compressed) :1'309'184 bytes
Format:win32/pe
Packed file: 1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6e7ef39f-5d31-4bb8-af7e-c1cf73f5064e/
Malware family:
n/a
ID:
1
File name:
1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07
Verdict:
Malicious activity
Analysis date:
2026-03-06 16:57:18 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/296fbd54-e318-4443-be03-5ca425f7b4b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/56359/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.35E5V6.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b800487c-c05c-4a00-928d-1967b748bef7
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1879707
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1879707 Sample: 1b820d25eb575ddb78cf2c0dba5... Startdate: 06/03/2026 Architecture: WINDOWS Score: 100 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected DarkCloud 2->44 46 5 other signatures 2->46 8 1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07.exe 4 2->8         started        12 wscript.exe 1 2->12         started        14 puckishness.exe 2->14         started        16 puckishness.exe 2->16         started        process3 file4 36 C:\Users\user\AppData\Local\...\surmit.exe, PE32 8->36 dropped 72 Binary is likely a compiled AutoIt script file 8->72 74 Found API chain indicative of sandbox detection 8->74 76 Unusual module load detection (module proxying) 8->76 18 surmit.exe 2 8->18         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->78 80 WScript reads language and country specific registry keys (likely country aware script) 12->80 22 surmit.exe 1 12->22         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roaming\...\surmit.vbs, data 18->34 dropped 48 Antivirus detection for dropped file 18->48 50 Multi AV Scanner detection for dropped file 18->50 52 Binary is likely a compiled AutoIt script file 18->52 58 2 other signatures 18->58 24 surmit.exe 1 18->24         started        27 svchost.exe 18->27         started        54 Writes to foreign memory regions 22->54 56 Maps a DLL or memory area into another process 22->56 29 svchost.exe 8 22->29         started        signatures8 process9 signatures10 60 Binary is likely a compiled AutoIt script file 24->60 62 Writes to foreign memory regions 24->62 64 Maps a DLL or memory area into another process 24->64 31 svchost.exe 1 10 24->31         started        66 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 27->66 68 Writes or reads registry keys via WMI 27->68 70 Tries to harvest and steal browser information (history, passwords, etc) 29->70 process11 file12 38 C:\Users\user\AppData\...\puckishness.exe, PE32 31->38 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/4c14d7b5ac4c07799e5db765a3965ad4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-03-06 15:34:38 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlfi7udciwtqhdypeixsxv377oe3pra7w7nlvorkobmkxvsbkuxq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
0063075daa673a3ec1ae04708e8394c34afac95f193c8486c75d43d450d9d821
DarkCloud
03cf3b904fa5ab697555ec0c6ee3c0cb6bbb42a01876e2d093bd78edc4cbe3f0
DarkCloud
149a430a6f9f5316febfc555e4c26b07139dd519a723bd2f11e2edb8f500fae9
DarkCloud
26927afcf56b0eb4f9b414aa3286696ad8af0a51bbb2a7925a9c58be26e4eb97
DarkCloud
6a552490f5fe075731262f257c9d49392da0534935d28492bcb8a3d8fa41bb0d
DarkCloud
7d8a887d116f563de667cdc00c50702c7312d2fea2c9e6e29827697041c76df6
DarkCloud
9fc9401b548091b02b74da0ea58aa279db23c47c5ab2bfaacea4605df89d511d
DarkCloud
ba93fe96d3ed6fa7fc69797f22b99928824db916ce9e9318a405050d721c2c16
DarkCloud
d5524fe820bb5053c55848f1b832179009569460a9879337458502b4c10c8195
DarkCloud
e07306dec4ab4785340a35fce37bd7e076847ab56ec93af88bb262535f142864
DarkCloud
error
DarkCloud
+ 1'473 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery stealer
Link:
https://tria.ge/reports/260306-szrvqsbw6s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
DarkCloud
Darkcloud family
Unpacked files
SH256 hash:
aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f
MD5 hash:
4c14d7b5ac4c07799e5db765a3965ad4
SHA1 hash:
98813c1d2e0548d808a4d46359e854ea0d533bc0
Link:
https://www.unpac.me/results/f56115b7-36bf-45ed-90dd-d972a6470ae4/
SH256 hash:
03f8300cf6febfe047c3c435283fc613359e1d7ea9b275038b3fdaca826c922b
MD5 hash:
17860d5218bfe0d277e1bf6e5db0d03c
SHA1 hash:
655f98abec7da92f4eb836849be3b0a7251cf1a6
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/f56115b7-36bf-45ed-90dd-d972a6470ae4/
Parent samples :
56bcce30cabed6fa0a484821b4bcce0e67847bbcfc5bd3c4920190ae49e0c442
1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07
aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/f56115b7-36bf-45ed-90dd-d972a6470ae4/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aaca8fd06245/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkCloud

Executable exe 1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07

DarkCloud

Executable exe aaca8fd06245a7038f0f222f2bd77ffb89b7c41fb7dababa2a7058abd641552f

(this sample)

  
Dropped by
SHA256 1b820d25eb575ddb78cf2c0dba54ea33b000d106f1d10760047e2ff760cf0b07
  
Dropped by
MD5 817bcef39bd9b16ee7005ab82f5d43d9
Cape
Cape
https://www.capesandbox.com/analysis/56359/

Comments