MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916
SHA3-384 hash: 6d629459c978812364979fd030c386d159e89175c7dd036a7b1dbbc0b8a6d947d4fa99ba337dfa93f44e52542fc4dc55
SHA1 hash: 832c244980b0416fcdfcacd4395ba551b6ab69c6
MD5 hash: 2fecbf0f723458decf3c8372457fad00
humanhash: moon-spring-artist-oxygen
File name:2fecbf0f723458decf3c8372457fad00.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'008'128 bytes
First seen:2023-04-14 06:51:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:/f1YLhoTDEz9eIBlxniSC7Mq/XRq6Wys:na9ovEz9eYldnCwqPR
Threatray 148 similar samples on MalwareBazaar
TLSH T19925236AB2E9CF25D1AF47BA7C95350B23B2164BB535D1AC1CCA00DD3A297B44C52EC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice.doc
Verdict:
Malicious activity
Analysis date:
2023-04-14 05:53:31 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/6c5eb20e-2e7e-483a-9e1e-f530fd72aeab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382196/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6438f8168cbb8f4be303bbad/reports/c5b804b7-f174-44c3-af21-7dfc26066c02/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c49a0c73-da22-42ac-8078-c46a18b602d2
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213704
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dtobekceuoj6mzndymwyndp7si6aknhhe2yo7v25i2kpbjtzela._file
Verdict:
malicious
Similar samples:
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
DarkCloud
0a65bdc8a4ddc23e2d4fed87eb161185359b5ce38f9483ba5e0786d3c8aa8c34
DarkCloud
22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf
DarkCloud
3d35655b8a265b213dba9d23a9542e024895cba4c18dbfb782cb844125c23654
DarkCloud
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
DarkCloud
ced049b334ce9d4a11a333eb078271f027d2b64fb3d00760e17ba355ad8ae057
DarkCloud
d44d7cdd0f94710f6b72db3b98f5742ce9be0869f22bab9aaae8f6aa923c73d2
DarkCloud
ee734d6d93d42624ffd7f363f3252ee46cfbc5b6adef174447232605bda7d607
DarkCloud
f2ac3613b5bc01f54ab4a17e099b7e8174c45bec46fdc443a3a50c2c25724488
DarkCloud
+ 138 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230414-hm3rcsgg45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5910132523:AAEKRc8fOn4WgyrXgHzd8WfRx78_lEgkCaI/sendMessage?chat_id=5877439820
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
c49d036645f0e439f46495d65b44aebeddab7f93e3e4c3eb93e1b5c7657fb4cd
MD5 hash:
f7682664941556f47b8a6babec2840de
SHA1 hash:
f745ba05a468b57569d3ad61a5b935e81ed61b0a
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
d33490684cb388280f014994a95e3aa035f7f64e6e1e4219ab667d756cb2c74f
MD5 hash:
8009f92842d8668d20e478d316f23a0f
SHA1 hash:
f6de590b4fdb7866165a705fb1012d300aea7e2e
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
721ef3865a1da00028f79602bdbdc1147b86c0a631f8cac36a108ae7c109515d
MD5 hash:
26b6215c365d0c2cea7dc925a6b2578d
SHA1 hash:
74d28e46531443aecf139f1dcfcaa8d0d0fde060
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
d96933f45ce46bbd0e58ba031cef610cee34b5bff7d6b4d161a3864dc3b60eb0
MD5 hash:
dc0d066986480fef37b2dd6d89c8fd1f
SHA1 hash:
665c3ce294ac03df6de806f4c80b5a2aee53e6e1
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
SH256 hash:
e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916
MD5 hash:
2fecbf0f723458decf3c8372457fad00
SHA1 hash:
832c244980b0416fcdfcacd4395ba551b6ab69c6
Link:
https://www.unpac.me/results/4bcdd57b-4b6d-401d-b796-c532cfec9744/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe e0e6e09142251c9f332d1e196c346ffc91e029a73935877ebaea34a78533c916

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2591294/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382196/

Comments