MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
SHA3-384 hash: 60d732c7a565e843d8e636afcfba316702c87c2f54af6e56100c5605f920714966a3cc70f7642b0756b844d655d0d83b
SHA1 hash: eba1f47c6e74e4f5480aa65ed54ff7dc0e07eccf
MD5 hash: a8d88cbc4823e634b52a304af8f9e404
humanhash: ink-kansas-ink-victor
File name:invoice and packing list.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'182'208 bytes
First seen:2023-10-31 17:41:36 UTC
Last seen:2023-11-01 08:03:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uLNboa9XPXBC4ixSWe5oUekYOICNS2/zkloKnAn44y3J3XlAt8HbacNpW6a+rTmI:gNn03Sj5VTNSCYBH4yA2ecNY67Hj
Threatray 57 similar samples on MalwareBazaar
TLSH T16845CE8B2912885AD4D4BF746CF565863A379CBA0014D283EDDFFE2CBEB134461C669C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0c8c4d8d8d4d43c (10 x AgentTesla, 2 x DarkCloud, 2 x GuLoader)
Reporter James_inthe_box
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
394
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice and packing list.exe
Verdict:
Malicious activity
Analysis date:
2023-10-31 19:18:51 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/b2d77b6b-a380-482f-b71e-db35a1f6be2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457431/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65413c6bb95974e822291d63/reports/c2267cbc-862b-442a-8a9c-4b4240b29730/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7bcb49f2-3d40-4f03-a0d2-915f2594c748
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335022
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335022 Sample: invoice_and_packing_list.exe Startdate: 31/10/2023 Architecture: WINDOWS Score: 100 51 showip.net 2->51 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 8 other signatures 2->65 8 invoice_and_packing_list.exe 7 2->8         started        12 keuspZ.exe 5 2->12         started        14 fireling.exe 2->14         started        16 fireling.exe 2->16         started        signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\keuspZ.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\Temp\tmp485.tmp, XML 8->47 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 79 2 other signatures 8->79 18 RegSvcs.exe 43 8->18         started        21 powershell.exe 23 8->21         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        73 Antivirus detection for dropped file 12->73 75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 27 RegSvcs.exe 12->27         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 55 Found many strings related to Crypto-Wallets (likely being stolen) 18->55 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        53 showip.net 162.55.60.2, 49741, 49743, 80 ACPCA United States 27->53 49 C:\Users\user\AppData\...\fireling.exe, PE32 27->49 dropped 57 Tries to harvest and steal browser information (history, passwords, etc) 27->57 43 conhost.exe 31->43         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc/
Threat name:
Win32.Ransomware.Loki
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 12:07:25 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3v7k3mxxcasrxcnymp6pdq47nt6yhyeacbisggl22bmzti45oxga._file
Verdict:
malicious
Similar samples:
3ea69a1a0c5cc196a71ab1d7754abe0683813ff321d59d731bb72d2d3d076f3f
DarkCloud
478c23cab01ee3f4468f1069d0d09a669770889ad4a2bf3e572b6648a53d7139
DarkCloud
4bd728557c59a4ab89a5d3bd881603e69fa41247bab33f22d95404e532b21b24
DarkCloud
8e7100c354e0a53a58de3c7e3646997ebf0adaa17f39c4dd92139ebd06db4db8
DarkCloud
8e8d036b62e2c0dca98dd60db67f3d22f019a52fea426ef03fb3d94a3e335890
DarkCloud
99fe3099044a3933d4018dee43aefbc5ae8f5b720a34e0562453f95fa70732ee
DarkCloud
c107d4cc003e96086be97b02304631459e7b4ef3038fd6716ab583efe60dc964
DarkCloud
ffe2f8fec7f9ba8ff7877c6913820df6048f6d3df97dedf8d81efc3a51baba87
DarkCloud
+ 47 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/231031-v9zz7sdh57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
SH256 hash:
a49a455839453a33147ed5f1c366848f96a79d172fc0d28d1b0028eef24da97d
MD5 hash:
7a57d3d274732311c8b3458649d15991
SHA1 hash:
e8c47cf04f3000c94d7fdc7e92bd407cde26b04a
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
Parent samples :
a698ba15b62fcfdee2edc67ef09b6f9422c2319b4ec4b407e14fe925d187a659
52bf42d91cce8764858e3d324a1f85d198722c43f6ae2a3d51e4dc93132bfa50
dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
SH256 hash:
54aeca7a2aa7e384ba70979e61e4dd38f1c58708a45cfe67d10a6255efb181be
MD5 hash:
332a897d57a4ef207e8d070d9aa3080e
SHA1 hash:
b8587c824844d2576863ba83fa11607c4173b787
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
SH256 hash:
321b9837024c717dd5b2ad4217a7e2734e368bdb58918437baf42f46a34149b1
MD5 hash:
91412a60691a2512ab0becb2f7002a32
SHA1 hash:
70fe342dd601a4b6a3fb67202c9ea3b3fea31b5c
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
SH256 hash:
dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc
MD5 hash:
a8d88cbc4823e634b52a304af8f9e404
SHA1 hash:
eba1f47c6e74e4f5480aa65ed54ff7dc0e07eccf
Link:
https://www.unpac.me/results/2e94ea51-0987-4c06-93c4-37a53681b0b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd7eadb2f710/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

rar 9714703fb69c23615c19813ef1c62c62baac3b9261ff56e9aa306166a24c255e

DarkCloud

Executable exe dd7eadb2f710251b89b863fcf1c39f6cfd83e080105123197ad05999a39d75cc

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/457431/
  
Dropped by
SHA256 9714703fb69c23615c19813ef1c62c62baac3b9261ff56e9aa306166a24c255e
  
Dropped by
MD5 813469ddd59834258dad4091d4619d88

Comments