MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
SHA3-384 hash: 468e897e0cdaaea248d13bc64caf19587be8e45657a42e3bbc2908306377936ae7a5e3964688f08e34139a7f50afde9e
SHA1 hash: fc9cb08a22789464869fee55d54afda180a404d0
MD5 hash: 9491c3b9242e91e2378745e613fed56d
humanhash: colorado-zulu-seven-neptune
File name:QUOTATION-ETH00932.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'099'776 bytes
First seen:2025-07-07 06:20:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:q072LHHhcjVa8i5auADt5L8VvJy37uBH:jgnKa8WFM8VvEr
TLSH T19235F01036654F06EA7A97F64122D13203F85E9D78ADE2166FC27CDF39B5B806890F27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12602/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686b6754900df8e7f8681650
Tags:
snakelogger virus krypt msil
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89983c4c-0964-43aa-baa8-2263600b556f
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729832
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729832 Sample: QUOTATION-ETH00932.exe Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 46 showip.net 2->46 48 Found malware configuration 2->48 50 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 7 other signatures 2->54 8 QUOTATION-ETH00932.exe 7 2->8         started        12 iPQVSKLQLY.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\iPQVSKLQLY.exe, PE32 8->36 dropped 38 C:\Users\...\iPQVSKLQLY.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp6311.tmp, XML 8->40 dropped 42 C:\Users\user\...\QUOTATION-ETH00932.exe.log, ASCII 8->42 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Adds a directory exclusion to Windows Defender 8->58 60 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 8->60 62 Injects a PE file into a foreign processes 8->62 14 powershell.exe 23 8->14         started        17 QUOTATION-ETH00932.exe 15 8->17         started        20 schtasks.exe 1 8->20         started        22 MpCmdRun.exe 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Writes or reads registry keys via WMI 12->66 24 iPQVSKLQLY.exe 14 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 68 Loading BitLocker PowerShell Module 14->68 28 conhost.exe 14->28         started        44 showip.net 162.55.60.2, 49718, 49719, 80 ACPCA United States 17->44 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        70 Tries to harvest and steal browser information (history, passwords, etc) 24->70 34 conhost.exe 26->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.04 Win 32 Exe x86
Link:
https://app.malva.re/file/9491c3b9242e91e2378745e613fed56d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-07-06 08:40:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tlt4ythruslwqgqtd6ksjsizt3mcbrc5qeskek67mq236vhicwa._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250707-g4cqtsyxdz/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d153cd3f-d372-4779-8a7c-0b2f0beb8c07
Unpacked files
SH256 hash:
d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
MD5 hash:
9491c3b9242e91e2378745e613fed56d
SHA1 hash:
fc9cb08a22789464869fee55d54afda180a404d0
Link:
https://www.unpac.me/results/c8590213-0968-4c2d-9495-bc596125a837/
SH256 hash:
d94f93ab22b813f2d50a53fa6fc10fde3b147d988b0f2588204c12caf8b4fbff
MD5 hash:
02f3b824b4a27e64413967cb8b3fbacc
SHA1 hash:
14a77472a1ec26075836225dbd625fcb51122684
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c8590213-0968-4c2d-9495-bc596125a837/
SH256 hash:
36200781beb2d56c8705c152246b0fac20f7a2cb13d988eee7de6529b9f1a1f0
MD5 hash:
e5a27de9609950379c07b3ebdc8d9772
SHA1 hash:
7c2fd4dd8bb0b6a9e9d27d5650d344a3bd4e696a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/c8590213-0968-4c2d-9495-bc596125a837/
Parent samples :
368c3f4373be7b2de2adb08b623315e12d69d4d3f174c6a5d5b3e892a85fee51
9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
527faa491b052e081f3f21cc8a1499a895e69184b46fc039b382150f4ee7063e
252223c4796d1ff0184f549dd9cae4a0ab07c82958bb41f824f9b8aa92fa5496
d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3
SH256 hash:
fb910069b34e0582c6c3d0ccda1267d0ebfb6a6f6a3f3631db1b5cc80155cc48
MD5 hash:
e8cb799a1d2d4d6aa62c4161a79c4755
SHA1 hash:
8acb1258edeb407a88677ace977601e0790fecb6
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/c8590213-0968-4c2d-9495-bc596125a837/
Parent samples :
0ca32ef99b452e03e0a45dc234399bc6a8588ed4eabdce7afacce73f3c20aaa6
b8a1968edbea8c76420335be98bcb9f7d11519c3e4b504883957d0167d06a330
e365adfd792b6939eac0c37f7686cdf75e43366994cbdf124c9cb321a6daf437
d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
ec7615c1c9aa8d049dd4c8f86407d3253b30137a88e711eccd2e26e017dee00f
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/c8590213-0968-4c2d-9495-bc596125a837/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12602/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments