MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4
SHA3-384 hash: 35378692bfb89133834d4f115b89729cfe0b461a98ad4cfa4fbb8246c72ece85173a43ed2a69e9e64e841eae4e0920f3
SHA1 hash: e798772bd538fc6ea697c0e1ad36fca393efae49
MD5 hash: 67f2b20d5587cc88025a036f11846b80
humanhash: oxygen-alanine-vegan-robert
File name:SecuriteInfo.com.Win32.KeyloggerX-gen.18242.22124
Download: download sample
Signature DarkCloud
Create hunting rule
File size:796'672 bytes
First seen:2023-08-03 10:45:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'644 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:JgiLq3ZGsP3A60tpeEefsSzmwxLnLaAT25:JdGUsvWtuowxLLaAT
Threatray 231 similar samples on MalwareBazaar
TLSH T12B0523F03AED5738CCDC8FB56C571080417B92C6A7A9FE2E2AED7488B793945B429311
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 5ab9f8e4f8999ab8 (5 x Loki, 5 x AgentTesla, 3 x Formbook)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.KeyloggerX-gen.18242.22124
Verdict:
Malicious activity
Analysis date:
2023-08-03 10:47:03 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/d3910536-7aac-4bd2-84d4-ce5797cd1cd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440056/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.18242.22124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/64cb856d8b880a9fc6436ed1/reports/a2751ca5-de8f-4c56-b37c-d4b3edc304bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4003510a-2ecb-4c61-a1b6-402138fdc884
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285015
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1285015 Sample: SecuriteInfo.com.Win32.Keyl... Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 5 other signatures 2->44 7 SecuriteInfo.com.Win32.KeyloggerX-gen.18242.22124.exe 7 2->7         started        11 IfDFplhz.exe 5 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\IfDFplhz.exe, PE32 7->30 dropped 32 C:\Users\...\IfDFplhz.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp5E38.tmp, XML 7->34 dropped 36 SecuriteInfo.com.W...18242.22124.exe.log, ASCII 7->36 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Writes to foreign memory regions 7->50 52 Allocates memory in foreign processes 7->52 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 17 7->13         started        15 schtasks.exe 1 7->15         started        17 RegSvcs.exe 4 7->17         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Injects a PE file into a foreign processes 11->60 19 RegSvcs.exe 3 11->19         started        22 schtasks.exe 1 11->22         started        signatures5 process6 signatures7 24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        46 Tries to harvest and steal browser information (history, passwords, etc) 19->46 28 conhost.exe 22->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 08:37:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2aq2dhaarg6fhihyvw7lj7rceg734crlnjidvsr7dfenz2kybw2a._file
Verdict:
malicious
Similar samples:
069af598ef0f129b4efbb3e86a4f86bcf23d9caac7d85155893302304c62f32b
DarkCloud
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
DarkCloud
6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e
DarkCloud
73ca91a52ed319db604f0951f4b95ebd4a93eabc6f410e3d7f7ffd33efa29982
DarkCloud
8573f0b0ca38799192fa3c6d6bfc928a2f1383f529e65c43f8c324b825735bd5
DarkCloud
8df743bfde0cc4b44753b7efdeb0f37e381a302f3248470cb949ed16730dd106
DarkCloud
a65903f3968b96768cd2ca31af342c23b7f8c8b0d928b6a7f9119c80f105b3ee
DarkCloud
cabcb0bfd5b86be43f98e9ea8dcb92e8ef87d1c98e326b2effa2d39482bb882a
DarkCloud
d8ed3fb0de9b294adf3d48b7149010d51b01a9f9b262581aff015f1318999671
DarkCloud
e43e6ed9728722214571cc37b745086f7dc04731d08375bf54ee7cbe83cc6ace
DarkCloud
+ 221 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230803-mty4zaeb4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6474909072:AAE35t_kjfFFVCPF7xcGUBipQxF6QCUotU/sendMessage?chat_id=1184359262
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
SH256 hash:
49145ed861b412bc015ff0800969052756deea17d5c6285da8f5937c0efdad46
MD5 hash:
0ef5168d36eee9ca0bcefcd84b907b70
SHA1 hash:
b40debea28d99750fe9b6a2b7d243eb35549aed5
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
SH256 hash:
670b559ae1923eb7bd4ae2f5ef9cbbe6a240e101fcd0c33531c3a339e3481771
MD5 hash:
5cb99e3efda417104d8b410d77aa71ac
SHA1 hash:
80abe006e6395f13a4e14c89791e1e102de2e1fe
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
Parent samples :
da045c72bf6b543c9514160103f2d6816f59d896848f4eceaf9c6ec9e9b58416
d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4
f4e66b28f6a98a76e32c498914c56c8c34293c432338199e461945cb6c69b1ec
SH256 hash:
48ef528dcda3ab02888f17157e2ad735670c943b2ed92dbf90c0cbdb363a50d6
MD5 hash:
43dd3178c12e7c6de612d4f1ac269588
SHA1 hash:
46309441ca1bc1a2c51193c2a10b388203205eae
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
SH256 hash:
d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4
MD5 hash:
67f2b20d5587cc88025a036f11846b80
SHA1 hash:
e798772bd538fc6ea697c0e1ad36fca393efae49
Link:
https://www.unpac.me/results/4837762a-f206-4e7f-8c18-db3a99bf1944/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d021a19c0089/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/440056/

Comments