MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad
SHA3-384 hash: ebe1041e7ddfd05e9e8ee711e8b4b6f2ac483f3f04d2d9643c0ebf9fc45d0b8c31bddb16e5f6183d430f4a586687ddb9
SHA1 hash: 71d968f4cbdff52026af92bd401e7c339972eff2
MD5 hash: 0bd716af3a71159b6e7197cddeb66d7b
humanhash: princess-single-bravo-black
File name:SQ22201004 S0Q22201003.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:434'077 bytes
First seen:2022-10-12 21:54:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:RNmtwrRwEd/mit1fv/UsxTgVFcv0v141BGM4L4bR:RNmytVlTDUwTgVq0S6ZUbR
Threatray 3'534 similar samples on MalwareBazaar
TLSH T17394236677B8C6A3D80B54723F7A65792B9A781230712A0B3374B66D776C3C07A4E331
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319587/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42788/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
9002 lokibot overlay packed shell32.dll winlock zeroaccess
Link:
https://www.filescan.io/uploads/634737b60d2bcf0ff9a2a039/reports/8d376ff4-6057-485c-a25b-0bcab20cc9e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07aa3817-e2d4-4d3d-a434-889d55316a24
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089217
Signature
Antivirus detection for dropped file
Drops PE files to the user root directory
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 721815 Sample: SQ22201004 S0Q22201003.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 43 Antivirus detection for dropped file 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 3 other signatures 2->49 7 SQ22201004 S0Q22201003.exe 18 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\...\ptjtmdqqd.exe, PE32 7->25 dropped 10 ptjtmdqqd.exe 4 7->10         started        process5 file6 27 C:\Users\user\AppData\Local\Temp\A626.tmp, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\Temp\A172.tmp, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\Temp\98A7.tmp, PE32 10->31 dropped 51 Antivirus detection for dropped file 10->51 53 May check the online IP address of the machine 10->53 55 Machine Learning detection for dropped file 10->55 57 4 other signatures 10->57 14 ptjtmdqqd.exe 1 27 10->14         started        19 ptjtmdqqd.exe 1 10->19         started        21 conhost.exe 10->21         started        23 ptjtmdqqd.exe 10->23         started        signatures7 process8 dnsIp9 35 smtp.levcek.si 185.148.72.230, 49703, 587 S-AND-T-SLOVENIA-ASSI Slovenia 14->35 37 showip.net 162.55.60.2, 49702, 80 ACPCA United States 14->37 33 C:\Users\Public\vbsqlite3.dll, PE32 14->33 dropped 39 Tries to harvest and steal browser information (history, passwords, etc) 14->39 41 Tries to steal Crypto Currency Wallets 14->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 08:32:31 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2r3n2a5yt6ihqfwlq7zbqkjgpekjjxtfe2pbxarvnrq2oniod6wq._file
Verdict:
malicious
Similar samples:
167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e
DarkCloud
3586599d4978f9857550a52a8397edd027afe7f2eafb4f66e4af98dcd0337d22
DarkCloud
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
DarkCloud
587522728615a4ab4812cbd3cd7f43df4ced696945aad8e8854dfdfa1538492d
DarkCloud
b1bc91086e6fe98ad32079eec01e28b01ae0706d513bf494bd321aaf22e641ec
DarkCloud
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
DarkCloud
e838d341d05fb719bcecd3cd2d7e252829392600f2fcb0e6b20bec5415531d8c
DarkCloud
ff4cff76876cda952a48855396ca07f5fb5216a5df0efd10c9701c135552703c
DarkCloud
+ 3'524 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221012-1srkdsebb4/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Gathering data
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/3ae24916-46ec-48e5-8c93-d1b31dca195a/
SH256 hash:
3cd6d406c81259f79559650e26d91d1612fccb91beae8f71cb17e5728460bd5a
MD5 hash:
75585c5c0583deb75c3291d3cfc33080
SHA1 hash:
cfbff2791a4eccd64c12b3a46124851e2c5d7eb8
Link:
https://www.unpac.me/results/3ae24916-46ec-48e5-8c93-d1b31dca195a/
SH256 hash:
79c78fe05a3f8f4c4879ab8c9fd2e522743e136a9358aa58c9755efd3abb89f0
MD5 hash:
8e0c132f429585e3e1d0b7ca16e8f92b
SHA1 hash:
f8bc0a9175af4e4b3dd6d07315fdcfc7b1547bd5
Link:
https://www.unpac.me/results/3ae24916-46ec-48e5-8c93-d1b31dca195a/
SH256 hash:
82e71bb4132cee1e577d41e805c6f0fa0865dfe76c7ef3c4b779d0b0fb3c98ee
MD5 hash:
2bc5dbe8617cc612bb47abcd4f66eacf
SHA1 hash:
4b3587748bc183e81fa369f97bf85677aee7ac9f
Link:
https://www.unpac.me/results/3ae24916-46ec-48e5-8c93-d1b31dca195a/
SH256 hash:
d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad
MD5 hash:
0bd716af3a71159b6e7197cddeb66d7b
SHA1 hash:
71d968f4cbdff52026af92bd401e7c339972eff2
Link:
https://www.unpac.me/results/3ae24916-46ec-48e5-8c93-d1b31dca195a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319587/

Comments