MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
SHA3-384 hash: 3cbe5b19bb7ed65c2d86c8b60bf0781fbfeb280058cbe1d66c88a71caffb2a89616c77bf0b7f2ce90401438fe7ab927d
SHA1 hash: 3758be222203d10284c89e01006f660f03ab02e6
MD5 hash: f68a81a8dcf57ce0dbb5f4853b0bf95e
humanhash: pennsylvania-fanta-item-eighteen
File name:NEW_SUPPLY_ORDER.scr
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'641'472 bytes
First seen:2026-05-15 09:04:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'930 x AgentTesla, 19'824 x Formbook, 12'310 x SnakeKeylogger)
ssdeep 24576:YFqYflPCmQui1rBgc+9io4nc/I887O9GL52AXTg7yo:IBYus3o4czGO9GtZ
Threatray 15 similar samples on MalwareBazaar
TLSH T1D775D02E2ACF445CD0D1DF789B3237D407B0943758F2D3577B8C53B8EA266A56A8C292
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/b6458ade-8941-4f44-8463-642fc2018364/
Malware family:
n/a
ID:
1
File name:
_e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105.exe
Verdict:
Malicious activity
Analysis date:
2026-05-15 09:05:38 UTC
Tags:
netreactor darkcloud stealer evasion telegram susp-attachments
Link:
https://app.any.run/tasks/0088b7ab-dea9-4988-9f1f-c3c4e08f9566

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66013/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.76346525.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a06e1a846d6967b3d907540
Tags:
virus micro remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 crypt lolbin masquerade obfuscated obfuscated stealer tracker vbnet
Link:
https://www.filescan.io/uploads/6a06e19e2fcb905ec299dcf9/reports/b2b1abec-3d21-493d-8049-bb9cf3212f5a/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-13T13:14:00Z UTC
Last seen:
2026-05-15T03:07:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan-PSW.MSIL.Agentb.sb HEUR:Trojan-PSW.MSIL.Agensla.gen HackTool.ReconScan.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cea0d5d7-40e6-4661-8d2b-bd487b669039
Result
Threat name:
DarkCloud, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913917
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected MSIL Injector
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/f68a81a8dcf57ce0dbb5f4853b0bf95e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-13 16:05:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=446mgjkstwombwy2r53pmiy4wn7t6mh6jyrabcuz5klzf435yecq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
490644b09dd5e68cfea06b6380672071ec83ae4a04dcbb1a61322dcabdf9e0d3
DarkCloud
67435818ec3ccd9768649f84d5753d7130b7833333beadbd4b5975e3eb08bdeb
DarkCloud
87d9440b64a6a9d0409c7492c125620cadf930d5191881e1e8eff772f1f961fc
DarkCloud
a2b77c33ea165b0a7b753e41a7b9bc0c626cc323feb031203cf3d52e3f750f9c
DarkCloud
e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
DarkCloud
error
DarkCloud
+ 5 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105
MD5 hash:
f68a81a8dcf57ce0dbb5f4853b0bf95e
SHA1 hash:
3758be222203d10284c89e01006f660f03ab02e6
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
SH256 hash:
19ff2f21534447ea387d4713f42981a8a7f00716b48b1a57c2342564cc7dd4ea
MD5 hash:
beb3524385a7c4f3433a2a647729f08f
SHA1 hash:
273cce409ecee508b23116169d2e0b3fec9b5dcc
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
SH256 hash:
18bf646fad26a0aa1264cac867789c6d9f4de762bc83b9aeeff0f8d8d48ee6ac
MD5 hash:
4faf9d90e22fe6f5452ab806bb763ed7
SHA1 hash:
564455391f73d9d8f3baf3b907dfb9723f249820
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
SH256 hash:
69b83d39655ef00f775e5bc22b91874d629e68319550000343c581318fbe6fd4
MD5 hash:
b02d83e8ecf71c6399a3b3be638fb93b
SHA1 hash:
dfaff9ecb5aeab521334bf05aa7832d3d9af9451
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
SH256 hash:
8b16e77a678fd79d8aa620bf92263cdbc0241e5c99057abeaeee5f90e3533c8b
MD5 hash:
97dabce3382db42502c3a19c6857aeb9
SHA1 hash:
e33fab58e5e66309d5a046b1f939997a8d0cdf4b
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/ecf2f83f-b0fd-4d81-84f9-3791dcca32cb/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e73cc325529d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe e73cc325529d9cc0db1a8f76f6231cb37f3f30fe4e22008a99ea9792f37dc105

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66013/

Comments