MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
SHA3-384 hash: 8239cd470bcff187e02717ce105f8fc279273a8d07cbc602a827b15480d6a7d6cad6caae6ffee7b247051f0c3c6eb1ef
SHA1 hash: 360276f22aee72ec6e575ad1c8bb31c8debf6b70
MD5 hash: afc284d6d31f3eb585a351322ca08620
humanhash: mockingbird-batman-robin-sweet
File name:e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
Download: download sample
Signature DarkCloud
Create hunting rule
File size:2'838'016 bytes
First seen:2025-05-09 13:31:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:ou0c++OCvkGs9Fan4bsjOx1Adt55VgTygvyl1i8AaQ8mRbWTZY:fB3vkJ9/bsjOxqZvVsyl4IDmsZ
Threatray 4 similar samples on MalwareBazaar
TLSH T168D5011263DEC360CB769273BF69B7056EBB7C210634B95B6F840C79A960172123D7A3
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
Verdict:
Malicious activity
Analysis date:
2025-05-09 19:30:33 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/f7ee6050-1500-4cd0-b621-0c6fd485b686

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681e053ae16384d6a70347b7
Tags:
autorun autoit emotet lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Loading a system driver
Unauthorized injection to a recently created process
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun by creating a file
Unauthorized injection to a system process
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/681e03dfc7418694c8a805d8/reports/39e18775-8117-4e6d-b54c-6c8359738cfb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/caf99b9b-5d26-44a7-9cbf-2346039d84a6
Result
Threat name:
AgentTesla, DarkCloud, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1686307
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to log keystrokes (.Net Source)
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1686307 Sample: 1k9N180xTW.exe Startdate: 10/05/2025 Architecture: WINDOWS Score: 100 62 zlenh.biz 2->62 64 www.anpmnmxo.biz 2->64 66 12 other IPs or domains 2->66 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 15 other signatures 2->82 10 1k9N180xTW.exe 4 2->10         started        14 wscript.exe 2->14         started        16 alg.exe 2->16         started        19 19 other processes 2->19 signatures3 process4 dnsIp5 58 C:\Users\user\AppData\...\immortalised.exe, PE32 10->58 dropped 112 Binary is likely a compiled AutoIt script file 10->112 21 immortalised.exe 2 10->21         started        114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->114 25 immortalised.exe 14->25         started        60 172.233.219.78, 49743, 80 AKAMAI-ASN1EU United States 16->60 116 Creates files in the system32 config directory 16->116 118 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->118 120 Creates files inside the volume driver (system volume information) 19->120 122 Found direct / indirect Syscall (likely to bypass EDR) 19->122 file6 signatures7 process8 file9 48 C:\Users\user\AppData\...\immortalised.vbs, data 21->48 dropped 84 Binary is likely a compiled AutoIt script file 21->84 86 Drops VBS files to the startup folder 21->86 88 Sample uses process hollowing technique 21->88 90 Switches to a custom stack to bypass stack traces 21->90 27 immortalised.exe 1 21->27         started        30 RegSvcs.exe 21->30         started        92 Writes to foreign memory regions 25->92 94 Maps a DLL or memory area into another process 25->94 32 RegSvcs.exe 25->32         started        signatures10 process11 signatures12 124 Binary is likely a compiled AutoIt script file 27->124 126 Writes to foreign memory regions 27->126 128 Maps a DLL or memory area into another process 27->128 34 RegSvcs.exe 6 27->34         started        process13 file14 44 C:\Users\user\AppData\Local\...\newfile.exe, PE32 34->44 dropped 46 C:\Users\user\AppData\Local\Temp\Payday.exe, PE32 34->46 dropped 37 Payday.exe 16 34->37         started        42 newfile.exe 2 34->42         started        process15 dnsIp16 68 parkingpage.namecheap.com 91.195.240.19, 49742, 49747, 80 SEDO-ASDE Germany 37->68 70 anpmnmxo.biz 192.64.119.165, 49740, 49746, 80 NAMECHEAP-NETUS United States 37->70 74 7 other IPs or domains 37->74 50 C:\Windows\System32\wbengine.exe, PE32+ 37->50 dropped 52 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 37->52 dropped 54 C:\Windows\System32\vds.exe, PE32+ 37->54 dropped 56 139 other malicious files 37->56 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 37->96 98 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 37->98 100 Drops executable to a common third party application directory 37->100 102 Infects executable files (exe, dll, sys, html) 37->102 72 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 42->72 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->106 108 Tries to steal Mail credentials (via file / registry access) 42->108 110 Tries to harvest and steal ftp login credentials 42->110 file17 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-22 18:30:53 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jvh5hycknf6g7uluxqsfzybm4ezcodfzblkgqzg3v6im4vt37ea._file
Verdict:
malicious
Label(s):
zgrat
Create hunting rule
unc_loader_036
Create hunting rule
unc_loader_001
Create hunting rule
expiro
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
567ba3c58cd638c6795526ba0cc119eedc5afe6baaf0e1844ba87fd9fa3a29de
DarkCloud
c59cc58233220bfefce324f3412e9a6bcb1ce9ebec5dd77a853b7364d0c1876b
DarkCloud
c981675fb117f50a14c8b361ad4a8d0addc26cdf766ad04e36dd6ac093fb6e11
DarkCloud
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250509-qsmakawlw8/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Drops startup file
Executes dropped EXE
Verdict:
Suspicious
Tags:
trojan expiro darkcloud
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/280800e4-3d10-4c91-a1e7-f1e9fc9ec993
Unpacked files
SH256 hash:
0b2d86b3a63951682832de932cba72b9193e5dc042e8642a3ac68abe6b2da9d9
MD5 hash:
d7f8d632df1d7ba659296abd74d57ae4
SHA1 hash:
03154ff2dcbe787a7f7d71bba9308718f0370002
Detections:
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
6faa3fbc18acce2be35c8a74e641654eb4c63fd9154b87fba239f6b7ca53b735
MD5 hash:
9a1bf829924be736b9ea17a79a24a174
SHA1 hash:
2d673e377c3b8649b6b7e05ff3f912c76fc3e83b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
a46e24237a50ac3076ddbec3e7875e882cb9b323cd08106aad239929a5659767
MD5 hash:
b09271ba8c516fe7fe47f492e03310a8
SHA1 hash:
7a9c649f469f2523fd8e153a755bb2c36e8e215d
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
Parent samples :
567ba3c58cd638c6795526ba0cc119eedc5afe6baaf0e1844ba87fd9fa3a29de
e1b0d0f18a452022e45b4dd63d32d5b9686f6a07f34fa886727b92a9b1071132
e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
95f3ecc3d08e23770a8fb82e1a57ae6ba41eeec8aeecc73158fade9be732ba7a
00bfd9c7e7ccbeafb8096def85a900153fa548ddf396735fcd84fe05f4ec2961
SH256 hash:
f989a523ee2f5f363753b8dc04330d97d7505e6f803e8f9648090581138d7eb6
MD5 hash:
b19db1def8450ed8719a962479c5bb61
SHA1 hash:
de7fe45b77d460ed02707a098d60a5bff66b516d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
26ef7ba3b5afb131eac0ce1414f02087347d1468db0c3c9f2b0b9bbc8d3b1e40
MD5 hash:
c0b5bb208db12d823a51e7d1ba1177c4
SHA1 hash:
65a51cfe27edfff00aeaa9fd9183a38133c60110
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
SH256 hash:
e26a7e9f02534be37e8ba5e122e7016709913865c856a34326dd7c8672b3dfc8
MD5 hash:
afc284d6d31f3eb585a351322ca08620
SHA1 hash:
360276f22aee72ec6e575ad1c8bb31c8debf6b70
Link:
https://www.unpac.me/results/bc45e13d-f4b8-4028-9b40-3b98a5651700/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e26a7e9f0253/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments