MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba
SHA3-384 hash: a47b1087506b61f5353a4ef3dbfdb565dffdf1810c863c50ffb2faf70560cbe2a490e4ecdda1bbc7fc27c54cb9ebd74e
SHA1 hash: b8bd3419db38fe3715c54be41feda1d97a413a9d
MD5 hash: 564904a1fee781df9afe881e236d2c97
humanhash: mexico-crazy-alanine-montana
File name:Pedido de cotización n.º 140467.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:19'968 bytes
First seen:2025-08-27 06:42:02 UTC
Last seen:2025-09-05 13:23:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:xzG+uaVH6I+RRXQbZ/PlDiwGOCm2Htjs953wZwCpPa6cZoru3:x6aVH67Xe/PelWj3wZVE6CoU
Threatray 253 similar samples on MalwareBazaar
TLSH T181923A0DB3E8D373CFBC557D98B240205774D2076253EB996AD4B09A5A03BAA0F06AF5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pedido de cotización n.º 140467.exe
Verdict:
No threats detected
Analysis date:
2025-08-27 06:47:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1483ccb9-6fc3-483f-98cf-eb1c0fcd3065

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23771/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.217374.663.9214.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68aea9023e988eb6ab82c8d7
Tags:
autorun micro virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68aea91f2a70220b68da0adc/reports/1518d455-d3c7-442f-a02f-cd41a9e2e2c8/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T13:53:00Z UTC
Last seen:
2025-08-26T13:53:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/abfa0452-9a8b-41cd-b02f-a1cc41a1651b
Result
Threat name:
DarkCloud, PureLog Stealer, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765944
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 16:46:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsfpqwcwmdw4k4tcz2z5m3i24g3437h6vqqbr3tf7gzzdt3vfs5a._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
DarkCloud
289574c91e6ea859bad69b437b5e803a27299ef7ca4469a691052c1cca1eead1
DarkCloud
4b8732ba48e279bad32a8e2c4f8fa46285b65f8a965e8005a6f991f924e1d9eb
DarkCloud
7f5b09b2071ce28f9288ecc2d5c30e9d25753b836c219df62f899f05292c0223
DarkCloud
88b262717657dd4ffbb76a04691859a743d76989fc0a41a3966f6e807923badf
DarkCloud
c74a3e57eaffe14c36fe82c83887e8a1f7943ffffc73c073c616b61d90e43210
DarkCloud
error
DarkCloud
+ 243 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250827-hg9mqaxky4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f775cf9f-2764-4db9-9685-2f3acd01dedc
Unpacked files
SH256 hash:
bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba
MD5 hash:
564904a1fee781df9afe881e236d2c97
SHA1 hash:
b8bd3419db38fe3715c54be41feda1d97a413a9d
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/aab2e797-81d3-4179-a050-c75448edcded/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc8af8585660/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe bc8af8585660edc57262ceb3d66d1ae1b7cdfcfeac2018ee65f9b391cf752cba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23771/

Comments