MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37
SHA3-384 hash: a8b8ab8660ed5f86c99813217c8394de8a5a9b4db914d2e0fa247ce6cb6530f359dd560028fcdca7b4fb18cd55786a4e
SHA1 hash: d78e9cb47a668e0083b3ad71a1514c760ab19e91
MD5 hash: 92791e14b9df3b2381924a7cdc35aef6
humanhash: fillet-six-rugby-bakerloo
File name:Payment slip.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:928'256 bytes
First seen:2023-08-01 09:30:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:U+ugMYmQ374Za2lN//mNXzjkSYy8n1CvnSs/+mFolhpNFA/zTsH4fz+fxph:U+uDYmw74ZjN/o3uy8n1+//+ZfTwTsHn
Threatray 250 similar samples on MalwareBazaar
TLSH T1D71512B156E89B6EC91A0FFE4475006443A067793A36D76E4FC663EC2B303426325FE6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2e29a86e6ea8686 (13 x AgentTesla, 5 x Formbook, 2 x Loki)
Reporter TeamDreier
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment slip.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 09:33:06 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/0d2897ff-4e42-43fd-9613-1f8df4cdf29d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439527/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68454357.6140.3631.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c8d0dce64bd705397f3b18/reports/b0f83f87-e61d-43d9-b6b9-ef5d8c7c6492/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b3c9379-82a9-423b-9808-45ec824c136e
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283584
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283584 Sample: Payment slip.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 8 other signatures 2->76 7 Payment slip.exe 7 2->7         started        11 ILfJQfQZEz.exe 5 2->11         started        13 freudianism.exe 2->13         started        15 freudianism.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\ILfJQfQZEz.exe, PE32 7->52 dropped 54 C:\Users\...\ILfJQfQZEz.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpC018.tmp, XML 7->56 dropped 58 C:\Users\user\...\Payment slip.exe.log, ASCII 7->58 dropped 78 Adds a directory exclusion to Windows Defender 7->78 17 Payment slip.exe 1 11 7->17         started        21 powershell.exe 19 7->21         started        32 3 other processes 7->32 80 Multi AV Scanner detection for dropped file 11->80 82 Writes or reads registry keys via WMI 11->82 23 ILfJQfQZEz.exe 11->23         started        34 5 other processes 11->34 25 freudianism.exe 13->25         started        36 2 other processes 13->36 84 Injects a PE file into a foreign processes 15->84 27 freudianism.exe 15->27         started        30 schtasks.exe 15->30         started        signatures5 process6 dnsIp7 60 capitol-tc.com 181.214.142.230, 49690, 49694, 49695 ASDETUKhttpwwwheficedcomGB Chile 17->60 62 mail.capitol-tc.com 17->62 50 C:\Users\user\AppData\...\freudianism.exe, PE32 17->50 dropped 38 conhost.exe 21->38         started        64 mail.capitol-tc.com 23->64 66 mail.capitol-tc.com 25->66 68 mail.capitol-tc.com 27->68 86 Tries to harvest and steal browser information (history, passwords, etc) 27->86 40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 12:26:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4pq4b5nratzos64ecll2hnr7budd6mxi47ebmyrm5yruagb7i3q._file
Verdict:
malicious
Similar samples:
0255e2579c043b9a3557a95a0a37af0dceb75077680a436087c70268d70411de
DarkCloud
17b7a8bce60617c9f97a3464bbdba87d94da9c08b533fc07f3727376feae538d
DarkCloud
198a27bb3eafb16e85363be12dc849311bc4e25043794c5ee1364f2422dbdf4d
DarkCloud
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
DarkCloud
6d0ab1c3aadadef9335264a57ef26a307636d0367f57695f95284f03fa5e4111
DarkCloud
924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96
DarkCloud
9f31bb30ebd91a758214962fd6ead4a2fb6b5dc99a4e4296084a3af02eae2b8a
DarkCloud
a44d262ed7c8085b22ad15653bd2a7d3ecc966c3e7c54252de5670ce64027847
DarkCloud
e949856ccd8b9d36fb7c2322f2c09d2a969c0121c9b08361cf16dc08c316d3ad
DarkCloud
ec94fe18197f8fccb0e786717ba7fbafcb1f7376e6350e19c2cd7072e62dd204
DarkCloud
+ 240 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230801-lg2tnaga4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
SH256 hash:
6cf753f40707113e2cf6480ac327d6187b439aaee539138c4faa10fb90d042ed
MD5 hash:
4f39797f58b1f8f82f852753ba64c86d
SHA1 hash:
8157432fa57845220b15100ca7132b58a221d56e
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
SH256 hash:
2aa286384cd56d31f9a384166905cdc09fe85f0d55df089e21f97000e8cfa9a4
MD5 hash:
032d6ac035852074bd79f3d6b83920a4
SHA1 hash:
7fafb5107b7bd9430033bb30de66d456fe7b74f3
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
SH256 hash:
6477e6cc11cf82874b24271fc430bc91435c9ffe5c79a8706a8c31d9f95db5c4
MD5 hash:
58a77e768741643bb83fdf01aee6f24f
SHA1 hash:
1f16e41bc2098817bf42ed7f7205550203da0b65
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
SH256 hash:
c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37
MD5 hash:
92791e14b9df3b2381924a7cdc35aef6
SHA1 hash:
d78e9cb47a668e0083b3ad71a1514c760ab19e91
Link:
https://www.unpac.me/results/2ca5a580-9a1b-4727-86bd-0b2f914f603d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c71f0e07ad88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe c71f0e07ad8827974bdc2096bd1db1f86831f997473e40b31167711a00c1fa37

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439527/

Comments