MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff
SHA3-384 hash: f76dadd84f54469db5419e2a6b0ab2b5f00297134d2242258c370a87fb12bbec81df1709258422ad6f8519400db95dfc
SHA1 hash: d828006cbeba74306826944d5508003332785b61
MD5 hash: e5853886524341cde9a0e087c3eb94e1
humanhash: comet-pluto-emma-ink
File name:Inv 1210075219.zip
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'155'779 bytes
First seen:2023-04-19 07:46:31 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:ExdTs85EpduXFXXHQFXwKjbGD/B86Cp9+jgfYTJIDfeM8iVgEX:EHUkZQKybGV86y1bDfjX
TLSH T1563533641629A7DAF40E584E26DF18343EB74DC6DFF61E041B21E46293BFB40E246A7C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DarkCloud payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?Q0NJQy3lhonmgKHlqbcoRmlubyk=?= <fion_jan@ccic.com.tw>" (likely spoofed)
Received: "from ccic.com.tw (unknown [185.222.58.104]) "
Date: "18 Apr 2023 23:22:51 +0200"
Subject: "Re: Re: Re: Payment -PPC Moulding Services Pty Ltd"
Attachment: "Inv 1210075219.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Inv 1210075219.exe
File size:1'291'959 bytes
SHA256 hash: d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
MD5 hash: 38ce208e48fa504ece11364631b06cd8
MIME type:application/x-dosexec
Signature DarkCloud
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Nanocore-9987974-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit explorer.exe greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/643f9c78c95e495f96c7832f/reports/94394699-31ea-4186-8346-34f7462b85b2/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff/
Threat name:
Script-AutoIt.Trojan.Lisk
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 00:39:56 UTC
File Type:
Binary (Archive)
Extracted files:
104
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xrmpbqcrm66ccphiqaun5pjicgd452ueom7t3afrsrgtgagi37q._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230419-jptrxahb78/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DarkCloud
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip dde2c786028b3de109e7440146f5e9408c3e77542399f9ec058ca269980646ff

(this sample)

DarkCloud

Executable exe d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
  
Dropping
MD5 38ce208e48fa504ece11364631b06cd8

Comments