MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
SHA3-384 hash: 8ab944b6e7d08f5251cdc0eb48b60aeaeed3f000e337c22eb9f2ff51ddd41d3f3496d05e6c544e42db413c183abd9b3a
SHA1 hash: 9a3ee209433c221918badf5bd4ab112edb837794
MD5 hash: 38ce208e48fa504ece11364631b06cd8
humanhash: tennis-mockingbird-uniform-venus
File name:Inv 1210075219.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'291'959 bytes
First seen:2023-04-19 07:46:40 UTC
Last seen:2023-04-21 11:53:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:7TbBv5rUD8T2faDLAXjXXRQFX8KZNbAZ/BI6ZpUUBQjqfYTfz7V2EggiVEBLE/:lB+SDUtQSUbA3I6DUUZ8V2EgKU
Threatray 556 similar samples on MalwareBazaar
TLSH T197551202BEC1D9F3D06319321A69AB20AE7DBD601F658ECF3790495EDA325C0D7317A6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3eb6b676766e6e34 (2 x DarkCloud, 1 x AgentTesla, 1 x SnakeKeylogger)
Reporter cocaman
Tags:DarkCloud exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inv 1210075219.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 07:49:20 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/3057e50e-708f-4204-bc61-86353d9cc119

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383225/
Detection(s):
Win.Dropper.Nanocore-9987974-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80349/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit explorer.exe greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/643f9c7a60d614c82efcb58c/reports/37a9dc6b-e199-4c53-84b6-65b78e738b84/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e430d4e-f578-43ed-bca5-ff5a6f3bc6b5
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216618
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849542 Sample: Inv_1210075219.exe Startdate: 19/04/2023 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 8 Inv_1210075219.exe 37 2->8         started        12 ckhxbs.pif 2->12         started        14 ckhxbs.pif 1 2->14         started        16 ckhxbs.pif 2->16         started        process3 file4 48 C:\Users\user\AppData\Local\...\ckhxbs.pif, PE32 8->48 dropped 68 Drops PE files with a suspicious file extension 8->68 70 Starts an encoded Visual Basic Script (VBE) 8->70 18 wscript.exe 1 8->18         started        72 Writes to foreign memory regions 12->72 74 Allocates memory in foreign processes 12->74 76 Injects a PE file into a foreign processes 12->76 20 RegSvcs.exe 12->20         started        22 RegSvcs.exe 1 12->22         started        24 RegSvcs.exe 1 14->24         started        26 RegSvcs.exe 14->26         started        28 RegSvcs.exe 16->28         started        30 RegSvcs.exe 16->30         started        signatures5 process6 process7 32 ckhxbs.pif 1 3 18->32         started        36 WerFault.exe 20->36         started        38 WerFault.exe 28->38         started        file8 46 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 32->46 dropped 52 Antivirus detection for dropped file 32->52 54 Writes to foreign memory regions 32->54 56 Allocates memory in foreign processes 32->56 58 Injects a PE file into a foreign processes 32->58 40 RegSvcs.exe 15 32->40         started        44 RegSvcs.exe 32->44         started        signatures9 process10 dnsIp11 50 showip.net 162.55.60.2, 49692, 80 ACPCA United States 40->50 78 Tries to harvest and steal browser information (history, passwords, etc) 40->78 80 May check the online IP address of the machine 44->80 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8/
Threat name:
Win32.Trojan.Lisk
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 23:25:28 UTC
File Type:
PE (Exe)
Extracted files:
103
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2erxjn3sa3evbybpspevhztd2pyjvfyi7eytvyfhjrrwzlsikg4a._file
Verdict:
malicious
Similar samples:
194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a
DarkCloud
331c2f4bff1f7b905846094bf883b8d67efa9f6698c57169bff85fd4382da009
DarkCloud
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
DarkCloud
592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
DarkCloud
60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38
DarkCloud
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
DarkCloud
6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26
DarkCloud
6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d
DarkCloud
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
DarkCloud
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
DarkCloud
+ 546 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230419-jmh8dsba2z/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/0fb79751-6001-4b13-aed4-2fd4588d977e/
SH256 hash:
2fb34bc406fafa93c8754ff7d61b0582f51adaa0e835670fb6adbad74a2d7e33
MD5 hash:
7586cae0d33b98b2339214f1f283a474
SHA1 hash:
15d40ab7eaff81fff752cb8a3bafdebe64d62630
Link:
https://www.unpac.me/results/0fb79751-6001-4b13-aed4-2fd4588d977e/
SH256 hash:
b1c26ef07ae6f5ef50d250b0c95a47dbc5a45c4c2a7238d451dba5d2d888b85a
MD5 hash:
080963fe0a207224d84e9e90aed22c7a
SHA1 hash:
4cae25457c6800a08142476aab801706f69d157a
Link:
https://www.unpac.me/results/0fb79751-6001-4b13-aed4-2fd4588d977e/
SH256 hash:
d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
MD5 hash:
38ce208e48fa504ece11364631b06cd8
SHA1 hash:
9a3ee209433c221918badf5bd4ab112edb837794
Link:
https://www.unpac.me/results/0fb79751-6001-4b13-aed4-2fd4588d977e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff

DarkCloud

Executable exe d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff
Cape
Cape
https://www.capesandbox.com/analysis/383225/
  
Dropped by
MD5 e5853886524341cde9a0e087c3eb94e1

Comments