MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705
SHA3-384 hash: b70a6fab31fe3243777a4befc51de81eda231c8f0b907da1ca8bd2fd98d4e3139d0cf6a6c44af0a7ce707d089a19a137
SHA1 hash: c383591b13c5ddd772ed182a8107703d539f57ce
MD5 hash: c8da2c8a14698dec81b1bf900a05cafb
humanhash: dakota-cold-table-two
File name:SecuriteInfo.com.Win32.MalwareX-gen.30685.1806
Download: download sample
Signature DarkCloud
Create hunting rule
File size:27'648 bytes
First seen:2025-05-31 03:22:14 UTC
Last seen:2025-05-31 04:21:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'797 x AgentTesla, 19'705 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 768:QAeQU95KemtR4e8kYPryyh3fvxeEgKXY5/N5kx:AQU6r4e8kYDyydpeEgKXYY
Threatray 3'522 similar samples on MalwareBazaar
TLSH T1A7C2FA0017E8863AE7BF277074F3162006B0F946B972DF4E6E95D1E9185378A198337E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
463
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.30685.1806
Verdict:
Malicious activity
Analysis date:
2025-05-31 03:24:51 UTC
Tags:
fileshare auto-startup m0yv evasion stealer darkcloud ims-api generic upx crypto-regex
Link:
https://app.any.run/tasks/3a1c6744-7337-4f39-b5fa-14e0b2f40f46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6489/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.30685.1806.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683a772aacf88f5815e964db
Tags:
obfuscate autorun xtreme shell
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 obfuscated
Link:
https://www.filescan.io/uploads/683a7605e336a33801e1043f/reports/6e3fa562-185d-491f-8b49-ba7f39a8768f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6e494957-3b37-4c14-b6cd-598de055ea7a
Result
Threat name:
DarkCloud, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702811
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected ResolverRAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702811 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 31/05/2025 Architecture: WINDOWS Score: 100 88 xlfhhhm.biz 2->88 90 vcddkls.biz 2->90 92 33 other IPs or domains 2->92 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 17 other signatures 2->116 9 SecuriteInfo.com.Win32.MalwareX-gen.30685.1806.exe 15 6 2->9         started        14 wscript.exe 2->14         started        16 alg.exe 2->16         started        18 20 other processes 2->18 signatures3 process4 dnsIp5 100 files.catbox.moe 108.181.20.43, 443, 49692, 49714 ASN852CA Canada 9->100 80 C:\Users\user\AppData\Roaming\Buka.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\Roaming\...\Buka.vbs, ASCII 9->82 dropped 84 C:\Users\user\...\Buka.exe:Zone.Identifier, ASCII 9->84 dropped 136 Drops VBS files to the startup folder 9->136 138 Encrypted powershell cmdline option found 9->138 140 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->140 154 4 other signatures 9->154 20 InstallUtil.exe 16 9->20         started        25 powershell.exe 23 9->25         started        27 cmd.exe 1 9->27         started        29 cmd.exe 9->29         started        142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->142 31 Buka.exe 14->31         started        102 xlfhhhm.biz 54.146.6.253, 49723, 49725, 80 AMAZON-AESUS United States 16->102 104 yunalwv.biz 104.156.155.94, 49737, 49738, 49754 SRCACCESSUS United States 16->104 106 3 other IPs or domains 16->106 144 Creates files in the system32 config directory 16->144 146 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->146 86 C:\Windows\System32\sppsvc.exe, PE32+ 18->86 dropped 148 Creates files inside the volume driver (system volume information) 18->148 150 Infects executable files (exe, dll, sys, html) 18->150 152 Found direct / indirect Syscall (likely to bypass EDR) 18->152 33 SearchProtocolHost.exe 18->33         started        35 SearchFilterHost.exe 18->35         started        file6 signatures7 process8 dnsIp9 94 vcddkls.biz 18.234.103.197, 49698, 49700, 49705 AMAZON-AESUS United States 20->94 96 parkingpage.namecheap.com 91.195.240.19, 49708, 49712, 80 SEDO-ASDE Germany 20->96 98 10 other IPs or domains 20->98 64 C:\Windows\System32\wbengine.exe, PE32+ 20->64 dropped 66 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 20->66 dropped 68 C:\Windows\System32\vds.exe, PE32+ 20->68 dropped 76 117 other malicious files 20->76 dropped 118 Writes data at the end of the disk (often used by bootkits to hide malicious code) 20->118 120 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 20->120 122 Drops executable to a common third party application directory 20->122 124 Infects executable files (exe, dll, sys, html) 20->124 70 C:\...\__PSScriptPolicyTest_modfjtx3.fz4.psm1, ASCII 25->70 dropped 72 C:\...\__PSScriptPolicyTest_hrhf0kcw.zpc.ps1, ASCII 25->72 dropped 74 C:\...\__PSScriptPolicyTest_dmtkrtpa.abz.ps1, ASCII 25->74 dropped 78 2 other malicious files 25->78 dropped 126 Loading BitLocker PowerShell Module 25->126 37 conhost.exe 25->37         started        39 WmiPrvSE.exe 25->39         started        128 Uses ipconfig to lookup or modify the Windows network settings 27->128 41 conhost.exe 27->41         started        43 ipconfig.exe 1 27->43         started        45 conhost.exe 29->45         started        47 ipconfig.exe 29->47         started        130 Writes to foreign memory regions 31->130 132 Injects a PE file into a foreign processes 31->132 134 Uses threadpools to delay analysis 31->134 49 InstallUtil.exe 31->49         started        52 cmd.exe 31->52         started        54 cmd.exe 31->54         started        file10 signatures11 process12 signatures13 108 Tries to harvest and steal browser information (history, passwords, etc) 49->108 56 conhost.exe 52->56         started        58 ipconfig.exe 52->58         started        60 conhost.exe 54->60         started        62 ipconfig.exe 54->62         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-31 02:09:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ww3iy4mkqroig5z5fuhhz5j46u3esu3hpl3kjo7vqovafbjns4cq._file
Verdict:
malicious
Label(s):
expiro
Create hunting rule
sorano
Create hunting rule
Similar samples:
67ff30fc1ac6bc045a529654b98987be8e80863e49a8449504bd3ed7b485396e
DarkCloud
7947afbd19d717bd458daf91ee53aa4ee7c6cb5178049c4bafbbffe6ceff3210
DarkCloud
aa5422f677a5edd3939d9652209e15fe56f26998a293bd23b521f48a3b3ca318
DarkCloud
b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705
DarkCloud
d63374d386483c50ad66754aa271868a235eef4f31d7085bd06c1bef92a7f3c1
DarkCloud
dc6ccef702d63f94fcfe296035d6fd3125a814f94d9fd1d36dbc1f464efb0595
DarkCloud
error
DarkCloud
+ 3'512 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery spyware stealer
Link:
https://tria.ge/reports/250531-dxb9ya1jx6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
DarkCloud
Darkcloud family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b40e994e-d303-4d69-976d-afa284245133
Unpacked files
SH256 hash:
b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705
MD5 hash:
c8da2c8a14698dec81b1bf900a05cafb
SHA1 hash:
c383591b13c5ddd772ed182a8107703d539f57ce
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/379a6820-d38c-4e7a-817a-eceed82388f6/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5b68c718a84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5b68c718a845c83773d2d0e7cf53cf5364953677af6a4bbf583aa02852d9705

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6489/

Comments