MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea
SHA3-384 hash: dfa261124b7f01dd6b653b78b287350052a895eb8c3f9e6f20cafa923be31e47efc21098b7c08aa314d252789a897ce4
SHA1 hash: 48976a331f343d878aa54dbd5e30f4f07918a4b6
MD5 hash: 7a36be07a4959ceb55ff25e20423b5f1
humanhash: avocado-quiet-virginia-pizza
File name:BL-SHIPPING DOCUMENTS.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:451'754 bytes
First seen:2023-07-19 08:40:11 UTC
Last seen:2023-07-19 12:31:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:PYa6B9MKuWWskSSSe1Ni1H0E/W9Q3KLlH/AIXrTSF1JuwJUA8IHs2woV4TAGUM7V:PYb9MLsk31FEe9/YIXC1JUb1FUMSHUF
Threatray 22 similar samples on MalwareBazaar
TLSH T1B3A4233DB6D9C077D9B144361F3E4B51E2B0B222A5AC2B1F3764291CB47AAD3DA0B710
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:DarkCloud exe Shipping

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL-SHIPPING DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 08:41:41 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/45deec73-8e41-42c1-ab0c-825beceeeb8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424537/
Detection(s):
Sanesecurity.Rogue.0hr.20230718-1233.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64b7a19f87b3dbad8aad2226/reports/4190d31e-e88c-47be-80b1-722f2c86b8dd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f9ee00c-5c5a-435a-91d7-0a1e99e994fa
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275793
Signature
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275793 Sample: BL-SHIPPING_DOCUMENTS.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 6 BL-SHIPPING_DOCUMENTS.exe 1 20 2->6         started        10 nwsclhqmvf.exe 18 2->10         started        12 custody.exe 2->12         started        14 2 other processes 2->14 process3 file4 31 C:\Users\user\AppData\...\nwsclhqmvf.exe, PE32 6->31 dropped 33 C:\Users\user\AppData\Local\...\glhgx.dll, PE32 6->33 dropped 59 Detected unpacking (changes PE section rights) 6->59 61 Detected unpacking (overwrites its own PE header) 6->61 63 May check the online IP address of the machine 6->63 75 3 other signatures 6->75 16 BL-SHIPPING_DOCUMENTS.exe 2 46 6->16         started        35 C:\Users\user\AppData\Local\...\glhgx.dll, PE32 10->35 dropped 65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 69 Maps a DLL or memory area into another process 10->69 21 nwsclhqmvf.exe 42 10->21         started        37 C:\Users\user\AppData\Local\...\glhgx.dll, PE32 12->37 dropped 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->71 73 Writes or reads registry keys via WMI 12->73 23 custody.exe 12->23         started        39 C:\Users\user\AppData\Local\...\glhgx.dll, PE32 14->39 dropped 41 C:\Users\user\AppData\Local\...\glhgx.dll, PE32 14->41 dropped 25 custody.exe 14->25         started        27 nwsclhqmvf.exe 14->27         started        signatures5 process6 dnsIp7 43 mail.classicbd.com 119.148.26.9, 465, 49704, 49706 AGNI-ASAgniSystemsLimitedBD Bangladesh 16->43 45 showip.net 162.55.60.2, 49703, 49705, 49708 ACPCA United States 16->45 29 C:\Users\user\AppData\Roaming\...\custody.exe, PE32 16->29 dropped 55 Creates multiple autostart registry keys 16->55 57 Tries to harvest and steal browser information (history, passwords, etc) 25->57 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 09:09:14 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsmujo3sbzjph4u3z2e43jkquh72uq4hqsol3rfhxz2ppybkblva._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
1f86f42e9b3f949288c425fb5e3a57a6977a0c529e129a84a9c1935e4a2a2482
DarkCloud
43b0616d8f71811739454e94f8a91e47dfd51e0d30a38c7a90f78feb6b177556
DarkCloud
62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d
DarkCloud
6923fdc205daf214ddfdcfc83f398da7646f48d4c3e432b7df373a2d2f5ba1ba
DarkCloud
8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
ad9af6543f3eda2c556ad005fc4f5b3b3b5298f54312d1fda5354534903f55af
DarkCloud
d363a0101122b51e0bf68805358b28d087a616ebf04d666c6182fc6549fc8a22
DarkCloud
d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
DarkCloud
+ 12 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230719-klen9aaa79/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/35c415d3-4572-4641-940d-384056c278ac/
SH256 hash:
26a90a474473473c577e4f4938b1da7c589be503c375641bf44874604be17da2
MD5 hash:
50191a93f1fd272c429d51e198fc0662
SHA1 hash:
74e229389a22471072fd1b75c88ef1cc5805dbb3
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/35c415d3-4572-4641-940d-384056c278ac/
SH256 hash:
b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea
MD5 hash:
7a36be07a4959ceb55ff25e20423b5f1
SHA1 hash:
48976a331f343d878aa54dbd5e30f4f07918a4b6
Link:
https://www.unpac.me/results/35c415d3-4572-4641-940d-384056c278ac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b49944bb720e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 9b7e62b5c34434fcc81018f4c5354a44ca686449746688d63868b0e72ecd8e08

DarkCloud

Executable exe b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9b7e62b5c34434fcc81018f4c5354a44ca686449746688d63868b0e72ecd8e08
Cape
Cape
https://www.capesandbox.com/analysis/424537/
  
Dropped by
MD5 fbd4307dfb98aeda1bc61cd4d9423594

Comments