MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4
SHA3-384 hash: c6c35f62a795b99aab58f09dd6f7456f10788ac3d4f8232028ae0716269740a2c1011769b26efbd0aae2193aaaf3f123
SHA1 hash: 6cc684c0ebe090e1f62e8cd7bdbf07f5182d328c
MD5 hash: a5e2ce872910f7a2d4eebaedd26baa2b
humanhash: friend-jupiter-angel-juliet
File name:USD FATURASI.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'233'920 bytes
First seen:2023-01-13 10:00:55 UTC
Last seen:2023-01-13 14:18:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:uob3Zb/gh/T0BWdcNy1RSw2XoFElzOMkpPXZ6uXnUCypVDlFg:uoFb4h/OWr3/S9FEXKpVDT
Threatray 6'615 similar samples on MalwareBazaar
TLSH T13845CFF2529D99D5E5A50E3806A93E1462B99C8BC734E12E7E4335BB88F478F00787D3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
183
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD FATURASI.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 10:03:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62d1e686-310b-4cbb-bab1-898323f19dca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352541/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2344.27146.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c12be0e0fff64f4af0419c/reports/f4f53560-a6fa-4ded-9f51-77812394509d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4c74030-a32e-4bd4-91bd-4af38aaa0ae7
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1150966
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783698 Sample: USD FATURASI.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 9 other signatures 2->60 7 USD FATURASI.exe 7 2->7         started        11 YyEDRTo.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\YyEDRTo.exe, PE32 7->38 dropped 40 C:\Users\user\...\YyEDRTo.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpFD99.tmp, XML 7->42 dropped 44 C:\Users\user\...\USD FATURASI.exe.log, ASCII 7->44 dropped 64 Adds a directory exclusion to Windows Defender 7->64 66 Injects a PE file into a foreign processes 7->66 13 USD FATURASI.exe 14 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        30 4 other processes 7->30 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Writes or reads registry keys via WMI 11->72 21 YyEDRTo.exe 11->21         started        24 schtasks.exe 11->24         started        26 YyEDRTo.exe 11->26         started        28 YyEDRTo.exe 11->28         started        signatures5 process6 dnsIp7 48 pinartur.com.tr 46.31.79.76, 49697, 49698, 49699 HOSTLABTR Turkey 13->48 50 mail.pinartur.com.tr 13->50 46 C:\Users\Public\vbsqlite3.dll, PE32 13->46 dropped 32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        52 mail.pinartur.com.tr 21->52 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62 36 conhost.exe 24->36         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 10:01:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3y4jzriekntn42ppqgdc622465frfgxznaoqmtgrqurngb4t7gsa._file
Verdict:
malicious
Similar samples:
17310a407cf725a962dffd7d620f9bc625331a3b82f4588f882ceffd859ba13e
DarkCloud
180f2226aeb26e03766d816a4637304cf78597389d8598d2c8a169e429f2e8f7
DarkCloud
3d64b3a9e1b1e570d0fa0352a34477fb030a900072f862d35f98c8af6eb40487
DarkCloud
72583f44847a7163594df6713b246140478f41f50448f9d8585ebfde2d4b3ca0
DarkCloud
77ced15da197776d3e66903fd6eba7e5288761f6b3011922400fd3a6d920e2d9
DarkCloud
8d1bff8e45e6e259229503a8fd2ab69b04cf197f3d2e2cf7bc9dd512bac141a3
DarkCloud
9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb
DarkCloud
cb7ffda616dbfb59cec05339b9bee2e7ecae48595545ee4e63d93e9751feb594
DarkCloud
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
DarkCloud
ff5610cfb67d17c4e2d8f311146834c4d70680d10173a5b1ce39ea7aa3183a93
DarkCloud
+ 6'605 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230113-l18rbaga78/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
975a3ee39aa4276fa8cf94f9ccbc88f1ce791dbbf114a3ced8e1b9c7e190353e
MD5 hash:
9511acd4d863ffca834f6adc22d7393f
SHA1 hash:
da878cb2c8634ba33693a00d5fb7a240054e0a46
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
897db937c59dea3ec0f34030b5b54e5a1cf30c098e2bd984f279ea519e21a7f8
MD5 hash:
e4e60fe067f2961c0a2ddd468a17f3cc
SHA1 hash:
c0d13bfed25656b286ec5e0cc72c4c3b9ebc9bb6
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
0331c979896c394b7a93fae6ecc86111ef74c4345a0d886f3282cb0e1322f224
MD5 hash:
2f874e92a301a55eeb4612239185d8ac
SHA1 hash:
743cfd212e0542a4b4e4a68d25606499a89dee9b
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
f465ddc6e998686c10866447f5d1228843c5bb804c1eec6970dee6c36626ac0c
MD5 hash:
ccc748cdd330b32b035cfb725fe40d51
SHA1 hash:
5184524c644b568780e7c3ddd58460c3070c2a8f
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
SH256 hash:
de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4
MD5 hash:
a5e2ce872910f7a2d4eebaedd26baa2b
SHA1 hash:
6cc684c0ebe090e1f62e8cd7bdbf07f5182d328c
Link:
https://www.unpac.me/results/7783e5b9-d5d6-4a89-9dc0-4a9c27cde4af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/352541/

Comments