MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
SHA3-384 hash: 1e1912c57ad88089f3b89a25c84bc193976c725aaee3078f807adbddfe8c0d2e82a02247e180b1c14d7a912fbfd6f552
SHA1 hash: e41e56533dad36409b8f9d30e2bae8c22bba11c4
MD5 hash: 29e2c66bc44a433d6da95086cae40800
humanhash: paris-failed-apart-lion
File name:SecuriteInfo.com.Zum.Androm.1.24234.31952
Download: download sample
Signature DarkCloud
Create hunting rule
File size:462'854 bytes
First seen:2023-07-19 00:27:46 UTC
Last seen:2023-07-19 05:49:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:PYSahmsDnOhqRKHrJUovhWmtQNdVPfUgB1X3oNtHZyLHr:PYSahFDnOkRKLJUK6d9UgGALL
Threatray 14 similar samples on MalwareBazaar
TLSH T15EA42218D7E0C42BE87566759AB6817ACFF26A123855CB9B23149F7C3617364C30EB23
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Zum.Androm.1.24234.31952
Verdict:
Malicious activity
Analysis date:
2023-07-19 00:28:05 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/e4c2e575-123e-4f30-862f-3f8552ec0193

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424389/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.24234.31952.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control darkcloud lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b72e13fd9e198dc115e725/reports/b3b00cca-fbbe-4e4f-ba6f-ffd53056f430/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38ee0bea-b7d3-46dc-8a21-94c8ac6dae5e
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275545
Signature
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275545 Sample: SecuriteInfo.com.Zum.Androm... Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 3 other signatures 2->53 6 cwgp.exe 18 2->6         started        10 firemaster.exe 18 2->10         started        12 SecuriteInfo.com.Zum.Androm.1.24234.31952.exe 1 20 2->12         started        process3 file4 25 C:\Users\user\AppData\...\voojhtxofh.dll, PE32 6->25 dropped 55 Multi AV Scanner detection for dropped file 6->55 57 Detected unpacking (changes PE section rights) 6->57 59 Detected unpacking (overwrites its own PE header) 6->59 61 Writes or reads registry keys via WMI 6->61 14 cwgp.exe 48 6->14         started        27 C:\Users\user\AppData\...\voojhtxofh.dll, PE32 10->27 dropped 63 May check the online IP address of the machine 10->63 65 Machine Learning detection for dropped file 10->65 67 Maps a DLL or memory area into another process 10->67 17 firemaster.exe 10->17         started        29 C:\Users\user\AppData\Roaming\...\cwgp.exe, PE32 12->29 dropped 31 C:\Users\user\AppData\...\voojhtxofh.dll, PE32 12->31 dropped 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->69 71 Creates multiple autostart registry keys 12->71 73 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->73 20 SecuriteInfo.com.Zum.Androm.1.24234.31952.exe 2 45 12->20         started        signatures5 process6 dnsIp7 33 mail.tefoc.com 14->33 35 mail.tefoc.com 17->35 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 37 tefoc.com 103.14.121.180, 465, 49691, 49695 GDRPL-INGoodDomainRegistryPrivateLimitedIN India 20->37 39 x1.i.lencr.org 20->39 41 2 other IPs or domains 20->41 23 C:\Users\user\AppData\...\firemaster.exe, PE32 20->23 dropped 45 Creates multiple autostart registry keys 20->45 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 00:28:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tnmxqcunjc5e233tvmig23zawursfk3ibryewmikahhbrzz2hzq._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
270da7c5b8484ac3f7a0e90036e8e88f951de2ba3a22a0cc56e2b5cd8b0cafe3
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
43b0616d8f71811739454e94f8a91e47dfd51e0d30a38c7a90f78feb6b177556
DarkCloud
62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d
DarkCloud
695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9
DarkCloud
8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
c1725944985e772a05352396df8a4f1c2ead57379b075beb7a0b76c5ace344af
DarkCloud
+ 4 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230719-asbwtsfe3z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/687c7e4d-ad8f-4f1a-835b-de4f302a6a65/
SH256 hash:
c2df595e5453e543b166a6b9700ea43cb5e9cb5a030dba402df74d253939e6ff
MD5 hash:
0333c7aa70acff0e7945612060d1d1fe
SHA1 hash:
16e65bace21a7dcdb7f37dda92e4a12bb688bec7
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/687c7e4d-ad8f-4f1a-835b-de4f302a6a65/
SH256 hash:
45549f7b795c8a725bb375501fb1fdd6582309c7f9a4d8778f93942615e0fc5e
MD5 hash:
6a6c24b2e138a86e07ece17dd5aa1ba2
SHA1 hash:
707e1d8d57b97891969e927765abf981af96089c
Link:
https://www.unpac.me/results/687c7e4d-ad8f-4f1a-835b-de4f302a6a65/
SH256 hash:
d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
MD5 hash:
29e2c66bc44a433d6da95086cae40800
SHA1 hash:
e41e56533dad36409b8f9d30e2bae8c22bba11c4
Link:
https://www.unpac.me/results/687c7e4d-ad8f-4f1a-835b-de4f302a6a65/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4dacbc0546a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424389/

Comments