MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1
SHA3-384 hash: f9ab3e68c4959b2fb003fc9b7a2304dcd848a3f51c02adbc5dccfa86ea0e67278025415e8e9f033b7bb0cf80d303d0e5
SHA1 hash: c20ad36fb268942b253b59c1bc9407ec5a0a0146
MD5 hash: f1820b1528bf51f685da8243fe4527de
humanhash: river-one-equal-two
File name:Bank details mentoned in Invoice.zip
Download: download sample
Signature DarkCloud
Create hunting rule
File size:828'722 bytes
First seen:2023-01-31 07:59:52 UTC
Last seen:2023-01-31 08:54:08 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:SplsH4iWrHeviaI+5x98jQnxznAbQPxIYvfQrghT6s20XV44BNkQ0XPxrTyi96Y:Sbe4iWrd+ppxzAkOkH2QawAPNP96Y
TLSH T1B40523347616B00C55F3D7B52C0E24EC6602E1F7A532A9E9C94EB1FA11D46FC8AD263A
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DarkCloud INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Key Solutions" <stjnkirribilli@optusnet.com.au>" (likely spoofed)
Received: "from optusnet.com.au (unknown [45.137.22.91]) "
Date: "30 Jan 2023 16:09:10 +0100"
Subject: "Ledger_____________RS. 28191/ Eastern Cargo Carriers (I) Pvt. Ltd."
Attachment: "Bank details mentoned in Invoice.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Bank details mentoned in Invoice.exe
File size:953'344 bytes
SHA256 hash: 12106652a544b41ff02bfaf4693a7a797a59419964500170be740933fc110363
MD5 hash: 55e5e28196aeef77c5eee53b57e3d080
MIME type:application/x-dosexec
Signature DarkCloud
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.65245918.29120.6905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien packed
Link:
https://www.filescan.io/uploads/63d8ca85416d38777a7a6393/reports/8d684c24-fe0e-4081-b7be-babbb951f81f/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 08:50:34 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmxgb2xvpu5wlobjsss5cb5wmttbzjsfgsqs5yv6znqivlrll6qq._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230131-j2pzgsfe92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
DarkCloud
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip cb2e60eaf57d3b65b82994a5d107b664e61ca64534a12ee2becb608aae2b5fa1

(this sample)

DarkCloud

Executable exe 12106652a544b41ff02bfaf4693a7a797a59419964500170be740933fc110363

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 12106652a544b41ff02bfaf4693a7a797a59419964500170be740933fc110363
  
Dropping
MD5 55e5e28196aeef77c5eee53b57e3d080

Comments