MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78
SHA3-384 hash: a00f4823e7200920be50af4325d94a355417655840204fd26e102f1fb18e7cb207128b62cdf0e32a00f39677658cffab
SHA1 hash: 480ff5a07fd7796c2b52c0ebf5ad01f1299736c1
MD5 hash: a58c0c2fb1c4312f1e612a9e6ac84f55
humanhash: beryllium-hot-undress-green
File name:Halkbank_Ekstre_20221201_081244_137027.r00.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'224'704 bytes
First seen:2022-12-02 10:30:30 UTC
Last seen:2022-12-02 12:47:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:yogh/FMYOhG75Kxmjs3ninJomIGlwRhMyl2T32t:yrh/WBhG757QX/alIhM5j2t
Threatray 6'101 similar samples on MalwareBazaar
TLSH T1BB456E5072A89E55FE3AD7FC36D1040A226A19F1A8BDECD44C8134C30E787C5DBE5A9B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20221201_081244_137027.r00.exe
Verdict:
Malicious activity
Analysis date:
2022-12-02 10:33:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf98b718-eebb-4327-80c7-5e40b1f90a8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341852/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.6413.30565.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6389d3e76ab8d544984c6862/reports/a68cc79a-c977-46eb-839b-fb7d87431ea1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9412180-38c7-46a9-bf1e-9072b1df1049
Result
Threat name:
BluStealer, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126433
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759157 Sample: Halkbank_Ekstre_20221201_08... Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 59 simsekutu.com 2->59 61 mail.simsekutu.com 2->61 69 Malicious sample detected (through community Yara rule) 2->69 71 Sigma detected: Scheduled temp file as task from temp location 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 6 other signatures 2->75 8 Halkbank_Ekstre_20221201_081244_137027.r00.exe 7 2->8         started        12 QJcgelzU.exe 5 2->12         started        14 gnomelike.exe 2->14         started        16 gnomelike.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\QJcgelzU.exe, PE32 8->51 dropped 53 C:\Users\...\QJcgelzU.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmp38DC.tmp, XML 8->55 dropped 57 Halkbank_Ekstre_20..._137027.r00.exe.log, ASCII 8->57 dropped 77 Drops PE files to the user root directory 8->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Adds a directory exclusion to Windows Defender 8->81 18 Halkbank_Ekstre_20221201_081244_137027.r00.exe 1 9 8->18         started        22 powershell.exe 21 8->22         started        24 schtasks.exe 1 8->24         started        83 Machine Learning detection for dropped file 12->83 85 Writes or reads registry keys via WMI 12->85 87 Injects a PE file into a foreign processes 12->87 26 schtasks.exe 12->26         started        28 QJcgelzU.exe 12->28         started        30 gnomelike.exe 16->30         started        33 schtasks.exe 16->33         started        35 gnomelike.exe 16->35         started        37 gnomelike.exe 16->37         started        signatures6 process7 dnsIp8 63 simsekutu.com 5.2.85.41, 49719, 49720, 49721 ALASTYRTR Turkey 18->63 65 mail.simsekutu.com 18->65 47 C:\Users\user\AppData\...\gnomelike.exe, PE32 18->47 dropped 49 C:\Users\Public\vbsqlite3.dll, PE32 18->49 dropped 39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        67 mail.simsekutu.com 30->67 89 Tries to harvest and steal browser information (history, passwords, etc) 30->89 45 conhost.exe 33->45         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 10:31:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5obnu6uuuskhrs4wdzlogdqlvx7zq4umtsan7phko3v2sc5flz4a._file
Verdict:
malicious
Similar samples:
03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c
DarkCloud
2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644
DarkCloud
47bfa1c709df60a24f4bf9a3466175654781d05ce1647e3dc9bc22e939435cc7
DarkCloud
4a18558d47715d4869b75f738052786c8b85681aea3ff093002cd6b9dfd55c1c
DarkCloud
4ab85efebfd81e20170cceb7f76e9fa010952504265fc5b5d0319b1131c60ea8
DarkCloud
b379fb042db6563638cb488ea4fccf10fd9ed69caecf2341997fdc6dc8fda3b5
DarkCloud
c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17
DarkCloud
cb5a09fbb8c760f829a4b474f381b32a3ae68ec6e82c6b3d2fd8d2ef38b40d61
DarkCloud
+ 6'091 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/221202-mkenzaha86/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f819ca85-f7a5-425d-be0a-7eccfa413ca6
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
9ce995d9fa07290fbb7eec37bf1fbd46ac07dc69c291e848e4f32b609044e648
MD5 hash:
1cc0e01495dcb13d45ffa49230104070
SHA1 hash:
029fceb4114d586736fcc43a656a03844395aca5
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
778ac0db008c3f006adf81109d9ffd61403ad6bd9cbb96ed18c8b1afbd3f3f34
MD5 hash:
fe77b29ce90fcebb48f565600f8f5a5c
SHA1 hash:
a9f147a807966a9c5bc034ee3a0a3190cf9f05f0
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
19989723e5c2fbeb2ca8fbe298fd75e2b2cf282b9849cb09895cbfdbd44de73a
MD5 hash:
da75d046a5940b804e3947d906699bac
SHA1 hash:
4674e233edcd9855cc0c827ab0a4e4a29a052663
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
SH256 hash:
eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78
MD5 hash:
a58c0c2fb1c4312f1e612a9e6ac84f55
SHA1 hash:
480ff5a07fd7796c2b52c0ebf5ad01f1299736c1
Link:
https://www.unpac.me/results/65aa8c80-3692-4087-8d23-a5160d61d852/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/341852/

Comments