MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7
SHA3-384 hash: ab12cde0c13f03732e79ee18964290579999d5dadd13f06574f884944a4996de1068bdd37fbfc9a7da4734ca064884c1
SHA1 hash: d8785680914e903e4ec00eef5df897b4ef4014a4
MD5 hash: b25303446e438aabc0774e8e0d1fbd5c
humanhash: river-lima-don-grey
File name:Nvoices status.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:466'359 bytes
First seen:2022-12-19 08:38:21 UTC
Last seen:2023-01-03 03:19:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:LkwKJCSAeKI3LBNJddbGGN8TnkX59ykRSoTVN4eqbVTCSdUbBXHfFzrcJsJDFoR1:IJCSAeKCrnF4kX59ykpn1i5SJHH21
Threatray 20 similar samples on MalwareBazaar
TLSH T1E4A4231B6AE6107BF85732709DF7D7EDDBA9942041361F1F23501FABA4039C0DA1A9E2
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nvoices status.exe
Verdict:
Malicious activity
Analysis date:
2022-12-19 08:44:01 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c198ee75-aa0e-41c3-afbc-e7608b0a6d80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347856/
Detection(s):
SecuriteInfo.com.Variant.Zusy.445327.6800.30147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f84c423-198a-4195-a36d-c680429b62e0
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1136959
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769688 Sample: Nvoices status.exe Startdate: 19/12/2022 Architecture: WINDOWS Score: 92 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected DarkCloud 2->47 49 Yara detected Generic Dropper 2->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 2->51 7 Nvoices status.exe 19 2->7         started        10 hnlyovubwfhe.exe 2->10         started        13 hnlyovubwfhe.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\...\umssulgo.exe, PE32 7->27 dropped 15 umssulgo.exe 1 2 7->15         started        55 Multi AV Scanner detection for dropped file 10->55 19 WerFault.exe 10 10->19         started        21 WerFault.exe 4 10 13->21         started        signatures5 process6 file7 29 C:\Users\user\AppData\...\hnlyovubwfhe.exe, PE32 15->29 dropped 37 Multi AV Scanner detection for dropped file 15->37 39 May check the online IP address of the machine 15->39 41 Maps a DLL or memory area into another process 15->41 43 Writes or reads registry keys via WMI 15->43 23 umssulgo.exe 1 25 15->23         started        signatures8 process9 dnsIp10 31 mail.toliptaba.com 108.167.158.119, 49699, 587 UNIFIEDLAYER-AS-1US United States 23->31 33 showip.net 162.55.60.2, 49698, 80 ACPCA United States 23->33 35 192.168.2.1 unknown unknown 23->35 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-18 11:04:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2e6bovcsilv6zeolqgdr46e437rqsgdelo2npgtwiwg5rcxv5gtq._file
Verdict:
malicious
Similar samples:
2846ca6292a8d985cc30fd1a8b6cd626da21f2dd6e4b3138229a1ada9f2f79b9
DarkCloud
78209b6f468f6077142e45f3a21806bd36c47897d63124439b85d73aeffd028b
DarkCloud
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
DarkCloud
8beb70d99ea56763a805fe4152ad7c1ad8237c67fa8c27bd4fad4d1ee265e46a
DarkCloud
e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
DarkCloud
ebbad6fe23e96ccf9e5667e59d87dab75add4b9c6bb5340b5143b1c0eb3db1a3
DarkCloud
efcc68db0a86c354b9d0fbb797692eb006116fd7e5277e4cabbee6a654e9e394
DarkCloud
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
DarkCloud
fb27645c5ba18a9e7e61876df54e4220c89cfdea419892dc08c32a9a7fe9b443
DarkCloud
ffda7e756dd083ce87c1dc9b9160e8223731dc35cdbf398415e8f1d8c38f9365
DarkCloud
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221219-kkanxahf4t/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bded1170-1d93-4ccd-8b08-3c084699a69f
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/2ecda6eb-dbb7-43c5-986b-efd83c648489/
SH256 hash:
917b2b379660d6c4c2005ae11325bc06140ef2079070596441d6d97452779e07
MD5 hash:
5e00869a1e7cd30cb218eebeab09a68a
SHA1 hash:
733d24293ae499d8ece01bc7a0de40d32aebd9aa
Link:
https://www.unpac.me/results/2ecda6eb-dbb7-43c5-986b-efd83c648489/
SH256 hash:
efcc68db0a86c354b9d0fbb797692eb006116fd7e5277e4cabbee6a654e9e394
MD5 hash:
5b2e6d9ed84cacb7c1e8d1b1d90214a3
SHA1 hash:
7001aca73dec9c7021f2461dddb5e1c59fbad705
Link:
https://www.unpac.me/results/2ecda6eb-dbb7-43c5-986b-efd83c648489/
SH256 hash:
d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7
MD5 hash:
b25303446e438aabc0774e8e0d1fbd5c
SHA1 hash:
d8785680914e903e4ec00eef5df897b4ef4014a4
Link:
https://www.unpac.me/results/2ecda6eb-dbb7-43c5-986b-efd83c648489/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/347856/

Comments