MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99
SHA3-384 hash: c97f5eab35dad697ebc6b5cc2810132ce816d60fc313310677bb04133cac9402a9c2d575dafe44036994286a7e338443
SHA1 hash: cdd16111c37577ba705e9318570299eddffea0ac
MD5 hash: 0fd43f22fe533f0e4fe393d8355e2b2e
humanhash: alpha-red-delaware-cup
File name:INVOICE098765678DCOP.PDF.Z
Download: download sample
Signature DarkCloud
Create hunting rule
File size:498'705 bytes
First seen:2023-05-10 06:27:44 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:ophj36f8PIekUbooPqgTOBknM7dOkKenJll0YEQa4QEWlW:gtqf8PI8P6BCeOcJll0Y+tI
TLSH T1D4B423D382DD2905F2F0F48B9B932628A1EDB59B933704335CA21E476BC21EA4C6B45D
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DarkCloud INVOICE z zip


Avatar
cocaman
Malicious email (T1566.001)
From: "pearlfibeexport@gmail.com" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.73]) "
Date: "10 May 2023 04:50:18 +0200"
Subject: "NEW ORDER PO# 463"
Attachment: "INVOICE098765678DCOP.PDF.Z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:INVOICE098765678DCOP.exe
File size:656'384 bytes
SHA256 hash: dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
MD5 hash: e3351c05add94fac7045aea930fcface
MIME type:application/x-dosexec
Signature DarkCloud
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.26124.24272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed xpack
Link:
https://www.filescan.io/uploads/645b3972d860ee3e1ca69ad1/reports/7abf78b4-4a06-40e7-bc3c-4501ebbc5c27/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 01:26:06 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4uig433r5tqyybkgcyacnjlgbagfd5cw6ahg4xstovrul3wurwmq._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230510-hpsdeage81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
DarkCloud
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip e5106e6f71ece18c0546160026a566080c51f456f00e6e5e53756345eed48d99

(this sample)

DarkCloud

Executable exe dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 dabc51f754d18831689fcc7a554459a2ca2f023b40ef126e6cd721c225a75249
  
Dropping
MD5 e3351c05add94fac7045aea930fcface

Comments