MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79
SHA3-384 hash: 7706d97e7b3436c9c7919d3d7f1f62dc24be01acb57f7f3eb7e661f7842c86ad80e42e9d5fc38644243e551170fec063
SHA1 hash: 6c05cd316b7c0eadefdf3bb7c05fa28f8148d158
MD5 hash: a701f86612672d675cb9b6a58e7caff7
humanhash: india-high-robert-hot
File name:DKP98765434567000987890.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:663'168 bytes
First seen:2022-10-18 07:26:09 UTC
Last seen:2022-10-18 08:27:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (725 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:+b/W0t/VWeC8Yt7T59iuPHiDR5VF5AC20MgPxxE1wik6MD+Jt3S:+bNt/ceCtt7TfiuPHiNLFiCNPxxE11kR
Threatray 2'986 similar samples on MalwareBazaar
TLSH T1E4E4F1C2B12081E9FC6A177264270D9619932C7DE6B8D65C71F937223FF72A3402E56B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 068f0b2a2b363f06 (19 x SnakeKeylogger, 8 x AgentTesla, 8 x MassLogger)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321247/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.45300.27735.9309.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43583/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634e55484fc319a52d5616b6/reports/8fb6718d-07e2-4f2c-8bc7-e4ae186b265b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59ce1cc0-7080-4731-a97d-97df4aba2afd
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092581
Signature
Antivirus detection for dropped file
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725200 Sample: DKP98765434567000987890.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 58 Antivirus detection for dropped file 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->62 64 4 other signatures 2->64 7 DKP98765434567000987890.exe 18 2->7         started        10 vexrfhig.exe 2 2->10         started        13 vexrfhig.exe 1 2->13         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\cqart.exe, PE32 7->30 dropped 15 cqart.exe 1 3 7->15         started        32 C:\Users\user\AppData\Local\Temp\DB2A.tmp, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\Temp\C928.tmp, PE32 10->34 dropped 66 Multi AV Scanner detection for dropped file 10->66 68 May check the online IP address of the machine 10->68 70 Machine Learning detection for dropped file 10->70 74 3 other signatures 10->74 19 vexrfhig.exe 13 10->19         started        22 vexrfhig.exe 10->22         started        36 C:\Users\user\AppData\Local\Temp720.tmp, PE32 13->36 dropped 72 Maps a DLL or memory area into another process 13->72 24 vexrfhig.exe 13->24         started        signatures5 process6 dnsIp7 40 C:\Users\user\AppData\...\vexrfhig.exe, PE32 15->40 dropped 42 C:\Users\user\AppData\Local\Temp\2017.tmp, PE32 15->42 dropped 48 Multi AV Scanner detection for dropped file 15->48 50 May check the online IP address of the machine 15->50 52 Machine Learning detection for dropped file 15->52 56 4 other signatures 15->56 26 cqart.exe 15 15->26         started        44 showip.net 19->44 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 file8 signatures9 process10 dnsIp11 46 showip.net 162.55.60.2, 49695, 49696, 80 ACPCA United States 26->46 38 C:\Users\Public\vbsqlite3.dll, PE32 26->38 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 06:21:40 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycjymeb7h77frlrzvudfr6zh4vvc465hs6cqgm64o3aidw44rn4q._file
Verdict:
malicious
Similar samples:
1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104
DarkCloud
231ba68aed77233685a7431ba8b1df348d0dc71860f41c7d43a5f6f486a1c66d
DarkCloud
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
DarkCloud
709d1d9f1e0485cca2cdad3fe16fa9992a2dd07b2310a98dc65066530d4033fe
DarkCloud
796b93e1306888ffa8b48c29ff68dee8f6bb7d1fb0b96beb0ba3fd3b3d0f801d
DarkCloud
8f08318090a1dd5d08d0ebe5b2ef3d2a9aa2f54cb5b30db64773756b50bd21e9
DarkCloud
d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad
DarkCloud
fae591d3e1cea136791a06b8c59265af25eccf0d30b8500c9e8c664708e1937a
DarkCloud
+ 2'976 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221018-h931msehe5/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b248b2f-7956-4ed6-b09d-7f331cfed158
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/d7620de7-53a1-4d5d-a57c-cd3038eb1d53/
SH256 hash:
c9337a299764af59d6152d2ccae63dbe407814f380e9d296303d814d09202995
MD5 hash:
26ea25de60e1ad391a363bd50e6c0bb9
SHA1 hash:
3c6b46fa53b5429243a1804f83f6737b4bef93eb
Link:
https://www.unpac.me/results/d7620de7-53a1-4d5d-a57c-cd3038eb1d53/
SH256 hash:
64c4f0f99e9f0f48d3aa1645e330a64f1d52a4ed421096a3f559a7e51bca7fa5
MD5 hash:
fb39d7075f0adc784a7a303727596599
SHA1 hash:
212e7db4b67150d98992350bc1764cd51c83f489
Link:
https://www.unpac.me/results/d7620de7-53a1-4d5d-a57c-cd3038eb1d53/
SH256 hash:
c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79
MD5 hash:
a701f86612672d675cb9b6a58e7caff7
SHA1 hash:
6c05cd316b7c0eadefdf3bb7c05fa28f8148d158
Link:
https://www.unpac.me/results/d7620de7-53a1-4d5d-a57c-cd3038eb1d53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe c09386103f3ffe58ae39ad0658fb27e56a2e7ba797850333dc76c081db9c8b79

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321247/

Comments