MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af
SHA3-384 hash:	1ace045467a29c289b16def5c7dff6893cd3ecc04ff1d00c5c09259bfffa6df6edb8fd446aed3730fbce6b866a8f722e
SHA1 hash:	1fd4537d304cba9d6987eb8af1d00088e5fa2f9b
MD5 hash:	bb1ddeaae5f7ce25bfba00ac7d1b7130
humanhash:	double-march-south-iowa
File name:	SecuriteInfo.com.Win32.TrojanX-gen.21244.19605
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	1'079'296 bytes
First seen:	2023-07-06 07:40:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:gzdNnNi48Zlk0VqGdzbGKcL29DmLUI9FOGYUQIjsTtW9dypg0w:idNnND6lxVqGdGKcL29DAU2/zQrhW9dm
Threatray	412 similar samples on MalwareBazaar
TLSH	T15535AE3C1CBC7223C134F6E68F9DC421F690D56A3E61DE2B69D39899061EA0265C7D3E
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	SecuriteInfoCom
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.TrojanX-gen.21244.19605

Verdict:

Malicious activity

Analysis date:

2023-07-06 07:43:39 UTC

Tags:

darkcloud

Link:

https://app.any.run/tasks/09461af5-dac9-4fd1-b511-a2fc8f3ccf41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/408931/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.21244.19605.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64a6700f8583eaadb34f0a94/reports/a1337419-1bf2-4123-8d3d-fb065ba6b1c4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ade6b91-0f1b-4c6e-8200-2e6c9517e10a

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1267868

Signature

.NET source code contains very large strings

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2023-07-06 03:16:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yfzfsreylz3subjveoln7cspdqxk2vzxtmdvx232bn3mllhdisxq._file

Verdict:

malicious

DarkCloud

4f5242a579997963c7e2d248b36913a5a2a428f3329a67f10e48946b68049bd1

DarkCloud

54cd2e3e00d7370c6064ac4a49494694df623ff169a1aa6eb8759f55bae2f758

DarkCloud

5c2f77ce4a869075caec54297208317d3d5c274f8a732f698be0fc51cb81ae6e

DarkCloud

611a803aec6b5689e31f10c210feef21fccbf9843d7224d01a65065f2e93ed26

DarkCloud

62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d

DarkCloud

71f4fe8216968fa2ed52b407e09f024353128de231c69001938b828d283a2b05

DarkCloud

9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3

DarkCloud

c3d57a118cd5369dc4d9b50ef6d631ead1a0922f7074c861e2b6b02230fa6047

DarkCloud

d6844e4d321d82b76bd2d9d6b66c6a8edfd695323a741481cddb426825cebc44

DarkCloud

+ 402 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud stealer

Link:

https://tria.ge/reports/230706-jh4crsah8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

DarkCloud

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9dab1dbc1051a39d7558b20a7c185dfaff9b3f05af0b53b1cf00b0efa6a882a9

MD5 hash:

6340e73366fd824b80bc5e5a7bf46ad3

SHA1 hash:

7387a5712b998c720c9cd79b9ea8f58ac3bd8194

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

58fe7932a0abd597c0688bc420bafa9c0928fbe92838fab80eb08ca7d30680e6

MD5 hash:

18386de19fdb2319af31889d6d05c40f

SHA1 hash:

4b045c89084097742a28280322a321ad35d4e475

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9dab1dbc1051a39d7558b20a7c185dfaff9b3f05af0b53b1cf00b0efa6a882a9

MD5 hash:

6340e73366fd824b80bc5e5a7bf46ad3

SHA1 hash:

7387a5712b998c720c9cd79b9ea8f58ac3bd8194

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

58fe7932a0abd597c0688bc420bafa9c0928fbe92838fab80eb08ca7d30680e6

MD5 hash:

18386de19fdb2319af31889d6d05c40f

SHA1 hash:

4b045c89084097742a28280322a321ad35d4e475

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9dab1dbc1051a39d7558b20a7c185dfaff9b3f05af0b53b1cf00b0efa6a882a9

MD5 hash:

6340e73366fd824b80bc5e5a7bf46ad3

SHA1 hash:

7387a5712b998c720c9cd79b9ea8f58ac3bd8194

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

58fe7932a0abd597c0688bc420bafa9c0928fbe92838fab80eb08ca7d30680e6

MD5 hash:

18386de19fdb2319af31889d6d05c40f

SHA1 hash:

4b045c89084097742a28280322a321ad35d4e475

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9dab1dbc1051a39d7558b20a7c185dfaff9b3f05af0b53b1cf00b0efa6a882a9

MD5 hash:

6340e73366fd824b80bc5e5a7bf46ad3

SHA1 hash:

7387a5712b998c720c9cd79b9ea8f58ac3bd8194

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

9dab1dbc1051a39d7558b20a7c185dfaff9b3f05af0b53b1cf00b0efa6a882a9

MD5 hash:

6340e73366fd824b80bc5e5a7bf46ad3

SHA1 hash:

7387a5712b998c720c9cd79b9ea8f58ac3bd8194

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

58fe7932a0abd597c0688bc420bafa9c0928fbe92838fab80eb08ca7d30680e6

MD5 hash:

18386de19fdb2319af31889d6d05c40f

SHA1 hash:

4b045c89084097742a28280322a321ad35d4e475

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

867c70bd4fb8c0b35a98109c398d54c47d3042dca3e91fad56a4449fca9bbec3

MD5 hash:

ddc8615f9751995ed3950b1ca6977412

SHA1 hash:

62350c8523f0ff5cda8979330237c66c19d27c74

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

58fe7932a0abd597c0688bc420bafa9c0928fbe92838fab80eb08ca7d30680e6

MD5 hash:

18386de19fdb2319af31889d6d05c40f

SHA1 hash:

4b045c89084097742a28280322a321ad35d4e475

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

SH256 hash:

c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af

MD5 hash:

bb1ddeaae5f7ce25bfba00ac7d1b7130

SHA1 hash:

1fd4537d304cba9d6987eb8af1d00088e5fa2f9b

Link:

https://www.unpac.me/results/52dc89d6-146b-421e-9111-ae96a04e54bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/408931/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample