MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8
SHA3-384 hash: 3d0d298cbe5e55f78cd6329413f3dcac7b0ba93aa1f75b6efe885d170228ce2fd40c98a94e316d408ee7caae40f90956
SHA1 hash: 19a5ca2e0592e8f2a0eab3850e47d0e45df6abf5
MD5 hash: a1a68f938b704977018d5a0ef3e544cf
humanhash: finch-finch-robin-one
File name:(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.zip
Download: download sample
Signature DarkCloud
Create hunting rule
File size:646 bytes
First seen:2023-04-14 06:49:01 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12:5jpC616GLOyW6uteAU2dPRwO89jvf6kGUc28MWBeXEmFaWAnCvr16tBas:94616GLqjc2dPRwO6jvb18XBe0mFaTCc
TLSH T182F068478D64485AC2369331F00381AD521D4D0C04CDE00BFE189FDB0DC159D8949A4A
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DarkCloud zip


Avatar
cocaman
Malicious email (T1566.001)
From: "paynow_lim@limsign.com.sg" (likely spoofed)
Received: "from limsign.com.sg (unknown [185.28.39.15]) "
Date: "13 Apr 2023 10:11:54 -0700"
Subject: "(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694/BU463 QT. To lgpartner.ch zip,"
Attachment: "(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
573
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:(NATIONAL UNIVERSITY OF SINGAPORE) NUS5694BU463 QT.js
File size:933 bytes
SHA256 hash: 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5
MD5 hash: 51d889441d1ae8fa7c2fcc3be3ba9b10
MIME type:text/plain
Signature DarkCloud
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

PUA.SecuriteInfo.com.JS.Malware-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
JS File - Malicious
Link:
https://app.docguard.net/c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8/results/dashboard
Payload URLs
URL
File name
https://transfer.sh/get/SIfrsc/grace11.exe',
JS File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit nemucod obfuscated remcos shell32.dll
Link:
https://www.filescan.io/uploads/6438f75f0530985b5cccebdb/reports/1aa6abd7-093c-4ce7-bc4d-96e1f3686471/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8/
Threat name:
Script-JS.Downloader.Callisto
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 11:28:33 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
16 of 36 (44.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ykiobpnydqcou67xuiku3gss7mexiftcqnim7lx3yzbk46a277ua._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230414-hx74tsgh23/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6111853930:AAG17B4Rp0N5JOuu_E6TDmywX961M_dYkrI/sendMessage?chat_id=5237953097
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip c290e0bdb81c04ea7bf7a2154d9a52fb097416628350cfaefbc642ae781affe8

(this sample)

DarkCloud

Java Script (JS) js 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 876d5ac08e8e7b2c195a78a6a670dc302dce66e537a109f2e03351cd7d5289d5
  
Dropping
MD5 51d889441d1ae8fa7c2fcc3be3ba9b10

Comments