MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f
SHA3-384 hash:	5bec42fdca7de0dd2de44c85b45f600c5d789a634f1a8e5d133105489ca78009472342611a8657a55bc00f0718b682ae
SHA1 hash:	87411fc5d13aef29b17d5a54cadb4dbb0245d78e
MD5 hash:	687acf4479fbd86277fdf370e9535e85
humanhash:	virginia-bluebird-paris-washington
File name:	PURCHASE ORDER.exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	956'416 bytes
First seen:	2023-07-18 09:30:29 UTC
Last seen:	2023-07-18 09:33:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:RN6GEf3tyqvbEtsJElhBstN+YDFt9/FGm72BZcHuE:b6hfgOQtMB/Hl8hZcHuE
Threatray	474 similar samples on MalwareBazaar
TLSH	T1591523B88DA76827C46B2FFEA41052B103B58EED740BE2570D09F57BFE26B494910787
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	cocaman
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PURCHASE ORDER.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-18 09:31:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/17075c66-0c22-4976-8f0b-32a861fa61a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/423299/

Detection(s):

Sanesecurity.Rogue.0hr.20230718-1038.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64b65bdcfd9e198dc115789b/reports/9cde1868-ec97-4603-918c-e2eb698a41fb/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/baca54a1-60d1-4e5a-8e0a-e7eff90ef966

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1274986

Signature

.NET source code contains potential unpacker

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes or reads registry keys via WMI

Yara detected DarkCloud

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-18 09:30:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 25 (68.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ekwwltlquak7jpiurouni2cbiz34nl5llzwfire3q46eu74oihq._file

Verdict:

malicious

DarkCloud

104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86

DarkCloud

174ed156f6f1c67a8b09b72ab463b69c2d9aae053a5dffb6d4630bdea6308153

DarkCloud

3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520

DarkCloud

46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a

DarkCloud

55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f

DarkCloud

5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b

DarkCloud

a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93

DarkCloud

ed6006755e51eded9bc077db183831125a767b605fddd9109a635b3af7e4f8f0

DarkCloud

ffb19cac93e35be747f5418116248e185687596877812115588cd59763d1ed15

DarkCloud

+ 464 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud stealer

Link:

https://tria.ge/reports/230718-lg3e7aab61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

DarkCloud

Malware Config

C2 Extraction:

https://api.telegram.org/bot6267068129:AAE4AO_gQGAeEakYl26r7KthrUjdWAdy5c0/sendMessage?chat_id=1909112828

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

SH256 hash:

45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c

MD5 hash:

ca775551666be768a9241f43eec98b87

SHA1 hash:

fbbd937067a24c48ee5274d3fa2881a991e64f3c

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

SH256 hash:

b86383b63f56376e45563548b78690993b1823a28741b1d903489a04a1434a22

MD5 hash:

c970029dab6c4d1feaf0efb4f1673121

SHA1 hash:

f505ca351ead1e89544668fcff7e01ed818a66d2

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

SH256 hash:

7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941

MD5 hash:

508ba12479b3d78edb93f63b40ab3b7f

SHA1 hash:

d72b842c46546e4e494c9338b530e305dae1d5d2

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

SH256 hash:

768177cb74f4da14474e61d66d6f0e3535ba4ad2cf61a2ac4de28d18061db58b

MD5 hash:

68db3784536c2c089d430da6e73d9f14

SHA1 hash:

2dbb634d5732c376bbb8b07357e431596880abdf

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

SH256 hash:

e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f

MD5 hash:

687acf4479fbd86277fdf370e9535e85

SHA1 hash:

87411fc5d13aef29b17d5a54cadb4dbb0245d78e

Link:

https://www.unpac.me/results/8a499bc6-b9cf-4ece-be37-3aa402b4e5bc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1156b2e6b85/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.