MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c
SHA3-384 hash: 93a486e7b58d3b18dd9919e587dc2b1ee771fbb6d488bbf9795daf9ea55279ba69fd12b91757b2553efc52a5b98e2e1f
SHA1 hash: 89c51bdfe281e0b63f3dec616dc002e56c0f1f99
MD5 hash: 35b6cf05a41da192073d8c5d32871d52
humanhash: mobile-missouri-bluebird-artist
File name:1.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:282'624 bytes
First seen:2022-11-03 10:23:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5067727cf03f2e4a55d493419bdcdea3 (1 x DarkCloud)
ssdeep 6144:KS/HOJKxjJO9LEDrJkYct29Uku7WGsKBI1PO:KMuJeg+fJ429kfsKB
Threatray 59 similar samples on MalwareBazaar
TLSH T18B54D82BA661B02AF167C9B57AE4535BA8176C771640AC1BF7C1AB0631312D3E4F132F
TrID 78.7% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 06f692c2529ab2d2 (5 x DarkCloud, 2 x a310Logger, 2 x Floxif)
Reporter pr0xylife
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
booking.doc
Verdict:
Malicious activity
Analysis date:
2022-11-03 10:21:14 UTC
Tags:
trojan exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/b19eab00-4d0e-4658-89e4-725bc586bd95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327876/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint greyware hacktool packed
Link:
https://www.filescan.io/uploads/6363df1dee1144603848fc1b/reports/5f318047-702e-46a4-adff-2925f467f149/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9df0157d-620f-4f2b-bf8c-1b00d87f1abe
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1104247
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses Windows timers to delay execution
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 00:23:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3q6tisdsxhxdoxbh2l4g5swqvp6ovqxjd3nejjd2klwczvijkjwa._file
Verdict:
malicious
Similar samples:
1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca
DarkCloud
2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685
DarkCloud
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
DarkCloud
8662c5563163a4bfd38e68eee91831b3c07e30c022ec54bc58c381c53bb1f679
DarkCloud
8f458a7e77b48b60467dc6338ea5854db2afa53754fb2098edd8caf415ca6e64
DarkCloud
a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
DarkCloud
c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589
DarkCloud
+ 49 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud
Link:
https://tria.ge/reports/221103-mfczkshca3/
Behaviour
Suspicious use of SetWindowsHookEx
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1b6d2f4d-587a-4807-b6c0-d60df6f1739b
Unpacked files
SH256 hash:
dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c
MD5 hash:
35b6cf05a41da192073d8c5d32871d52
SHA1 hash:
89c51bdfe281e0b63f3dec616dc002e56c0f1f99
Link:
https://www.unpac.me/results/7b7db93f-8ac4-4b27-ae88-2c941ea58e97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe dc3d344872b9ee375c27d2f86ecad0abfceac2e91eda44a47a52ec2cd509526c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2397328/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/327876/

Comments