MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
SHA3-384 hash: 81a910a657b068d7ec553b86af49f9a2735685d72d22ec1a891e2dd128c6c9749a6251275ff403923d6335344a636cf9
SHA1 hash: 73de964b0c503e2651e80fb57ae62195bb598ff9
MD5 hash: e3351c05add94fac7045aea930fcface
humanhash: yankee-papa-avocado-september
File name:INVOICE098765678DCOP.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:656'384 bytes
First seen:2023-05-10 06:27:52 UTC
Last seen:2023-05-13 22:52:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:rUHLGlTRTX4Lz/dgjzd/eLs6wNzV0v7l90RHQuk:HZKz/uP8LduWTl90m
Threatray 82 similar samples on MalwareBazaar
TLSH T111D4DF022F570300D0AA42FAD9A66FE10E2FDE122921DB95D9C171FB7DBA742FD056D2
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:DarkCloud exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE098765678DCOP.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 06:28:41 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/f72205ab-4d82-4d4f-9349-b60608125c41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388024/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.26124.24272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed xpack
Link:
https://www.filescan.io/uploads/645b3973b664422b69d6197c/reports/b2d764e6-0a34-4457-926c-0aa83c7823e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92ed2ace-d4dc-4870-931f-70ab64e8a811
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229756
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates executable files without a name
Drops PE files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862738 Sample: INVOICE098765678DCOP.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 8 other signatures 2->43 7 INVOICE098765678DCOP.exe 3 2->7         started        11 .exe 3 2->11         started        process3 file4 31 C:\Users\...\INVOICE098765678DCOP.exe.log, ASCII 7->31 dropped 45 Bypasses PowerShell execution policy 7->45 47 Writes or reads registry keys via WMI 7->47 49 Injects a PE file into a foreign processes 7->49 13 powershell.exe 13 7->13         started        17 INVOICE098765678DCOP.exe 3 7->17         started        19 powershell.exe 3 11->19         started        21 .exe 11->21         started        23 .exe 11->23         started        25 3 other processes 11->25 signatures5 process6 file7 33 C:\Users\user\AppData\Roaming\...\.exe, PE32 13->33 dropped 35 C:\Users\user\...\.exe:Zone.Identifier, ASCII 13->35 dropped 51 Creates executable files without a name 13->51 53 Drops PE files to the startup folder 13->53 55 Powershell drops PE file 13->55 27 conhost.exe 13->27         started        57 Tries to harvest and steal browser information (history, passwords, etc) 17->57 29 conhost.exe 19->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 01:06:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3k6fd52u2gedc2e7zr5fkrczulfc6ar3idxre3tm24q4ejnhkjeq._file
Verdict:
malicious
Similar samples:
00c0d03307a35807609f84f1a8bac83a28be4ce382216a3ce0e8295e66843083
DarkCloud
1e9975aa70df2b52041c743f18403e227dc5bef87084950bce1f101cdbdefdd0
DarkCloud
4208a88c74cfe1d05b7d8ca52eb0de4188adfbe33eaba4c2813ead8d0e623019
DarkCloud
4d67b83779599f1bcfeacdfc28afff670dd74b927cee2c756b27bb3f8c2b66e9
DarkCloud
7b5951f5bf8b74c9e9f377c59ad305a671735c9f7c6cf9f3def654c5989619ec
DarkCloud
9b9baf8a4d781b315971c83eed8a9c00d72ceed5eac36657dd5c1033115798ff
DarkCloud
aa6f1394af3f2820ad15b115539bc57596bffed774520729fe0254dc9e149384
DarkCloud
dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
DarkCloud
ece59fc5b87ad5dc5fa299c45ce956d546379e746f91a95b998ba81bca700de1
DarkCloud
+ 72 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230510-g8bpbsge3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/cb276e74-0d87-4c29-aa88-ad30b7f25cce/
SH256 hash:
b236dff0df818bbf4fbf78ff08490b00a1f6872c1db11d4cd2827189c72ed7d2
MD5 hash:
39910e89e009a951c7b7b36522f57c16
SHA1 hash:
f0a3c75ec22270e798ec7fe0367067b50d6a80d7
Link:
https://www.unpac.me/results/cb276e74-0d87-4c29-aa88-ad30b7f25cce/
SH256 hash:
44356032faf30bd7514af0c6952609bfcd42a21e3ee109062e010f6d28f26bea
MD5 hash:
a8905032a7e329338f85db50ad4480e0
SHA1 hash:
7fa72618ae27dff2aec5fe53a955ef9a1fe5170f
Link:
https://www.unpac.me/results/cb276e74-0d87-4c29-aa88-ad30b7f25cce/
SH256 hash:
6c3c51d7900031d5e11c344cc53080154bedb27cb35aac7ab84f7147340dbaff
MD5 hash:
8e25f414d1d5ec1dee90da771ecc35e0
SHA1 hash:
246bb766f34ca9b2c30bc425d74f1353e21867b7
Link:
https://www.unpac.me/results/cb276e74-0d87-4c29-aa88-ad30b7f25cce/
SH256 hash:
dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
MD5 hash:
e3351c05add94fac7045aea930fcface
SHA1 hash:
73de964b0c503e2651e80fb57ae62195bb598ff9
Link:
https://www.unpac.me/results/cb276e74-0d87-4c29-aa88-ad30b7f25cce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99

DarkCloud

Executable exe dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99
Cape
Cape
https://www.capesandbox.com/analysis/388024/
  
Dropped by
MD5 0fd43f22fe533f0e4fe393d8355e2b2e

Comments