MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
SHA3-384 hash: 27deea6344a31cc5b91bf00917596ad06d26f282f88335c66ee00ce0444642a54914d25d29a21dfac9c8c751347478f6
SHA1 hash: 2d8d19b6654dd949837c1ba2d1974a8f3f58ddb0
MD5 hash: db416547d92e1f2179131d797be72cb8
humanhash: yankee-stream-hot-purple
File name:copia de pago.pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:937'472 bytes
First seen:2024-08-20 05:58:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:0xxC/qaSupSzqntnSCkaQ2M3QIpU0n8KpJ6MKLuFcK:0viUupSzqnt90UIY6
Threatray 219 similar samples on MalwareBazaar
TLSH T1E21512623B44DD02C27F1EB42561DA7943719D9A9433D30FAEE9BCBF741AB8201622D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 806cce9c90c06488 (7 x Formbook, 6 x AgentTesla, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
copia de pago.pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-08-20 06:05:08 UTC
Tags:
netreactor darkcloud upx
Link:
https://app.any.run/tasks/30d8c0ed-e3ea-46e4-bb4d-0cbb22c52684

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.7524.22737.11523.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c430a8b2a4681a729659b2
Tags:
Discovery Execution Infostealer Network Static Stealth Darkcloudsteal
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66c430a79a458267e53f36b6/reports/85d2bf3e-bc21-492a-9857-59c01f2f3379/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8663a0c6-4667-4206-9e04-9cdaeb0e3ad7
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495415
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1495415 Sample: copia de pago.pdf.exe Startdate: 20/08/2024 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 48 86.23.85.13.in-addr.arpa 2->48 50 2 other IPs or domains 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 14 other signatures 2->64 8 copia de pago.pdf.exe 7 2->8         started        12 qmGSOKpoKl.exe 5 2->12         started        signatures3 62 Uses the Telegram API (likely for C&C communication) 46->62 process4 file5 38 C:\Users\user\AppData\...\qmGSOKpoKl.exe, PE32 8->38 dropped 40 C:\Users\...\qmGSOKpoKl.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp6BBE.tmp, XML 8->42 dropped 44 C:\Users\user\...\copia de pago.pdf.exe.log, ASCII 8->44 dropped 66 Adds a directory exclusion to Windows Defender 8->66 14 powershell.exe 23 8->14         started        17 copia de pago.pdf.exe 35 8->17         started        19 schtasks.exe 1 8->19         started        21 copia de pago.pdf.exe 8->21         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Writes or reads registry keys via WMI 12->72 23 qmGSOKpoKl.exe 40 12->23         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 17->30         started        32 WmiPrvSE.exe 17->32         started        34 conhost.exe 19->34         started        52 api.telegram.org 149.154.167.220, 443, 56612, 56613 TELEGRAMRU United Kingdom 23->52 54 showip.net 162.55.60.2, 49716, 49723, 80 ACPCA United States 23->54 76 Tries to harvest and steal browser information (history, passwords, etc) 23->76 36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e/
Threat name:
ByteCode-MSIL.Trojan.DarkCloudSteal
Create hunting rule
Status:
Malicious
First seen:
2024-08-20 00:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zvbc4oyarey3e5tq57bmsnd6adv76wwo2dvzb26i54iemzdnexa._file
Verdict:
malicious
Similar samples:
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
DarkCloud
7d50338fe1feeb6944bfd552e44f266d764dafc089b853a6ee24f67ef322c124
DarkCloud
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
DarkCloud
943d44f043396e794716c4d82c4345e749eead0807592339cdde186a7bd83c51
DarkCloud
b9996528bea4f182b005ba60e72f604602f0749e5b083a013d6096a3960052d2
DarkCloud
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
DarkCloud
+ 209 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution stealer
Link:
https://tria.ge/reports/240820-gpqzxazgqm/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage?chat_id=1909112828
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3341454a-7107-455f-a1ea-d78c74ef08f7
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
SH256 hash:
8ded42c9497f99dd8b747b8da9c7963e6fa3d6e7f3622ef1fbaa04b50efe9d17
MD5 hash:
7017a883e86a0e5bdc2ab2d18534cdf9
SHA1 hash:
b40fc9e21fa53ddc9b4ff6cafc7d0b591bfc34a8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
Parent samples :
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
7534c32fa2dff5d752801f84545c23d8c09b7b8a698a61169a9e1a851699120c
7e9e2285a304449495c336285f1f7f0153c175ab2cd5c35492d6565d89c8c137
6cc066c3a33644d8a54496de97374b7a8804b490f7d3ca66c62c1bc6cb695fa5
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12
d6cbd0b24b82cebe1a66094b0678d66c5f508f5a1c98d7143de9d1871daeffc3
72e3890b8af3c836705f640704aa03680b1092e5c021a2bfff35d931062bfd89
13f0a05e86fdf85e8891b494574421ff3da0be5e7a71e48f7e32f6c9f35eb2f7
7d50338fe1feeb6944bfd552e44f266d764dafc089b853a6ee24f67ef322c124
9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
943d44f043396e794716c4d82c4345e749eead0807592339cdde186a7bd83c51
a76d6e19ac59db6afea91b625c29f06f25316ccb74e1b7bdd59c68cb0aefac34
b9996528bea4f182b005ba60e72f604602f0749e5b083a013d6096a3960052d2
00082a148e8eb6745164c0cbf7c142539ada8fb4004deb8b3ae028b7181c552b
053c940f835b1c6624b6b0421b680da5c984b056734db107a7d6c8dfbe1837fd
8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb
e7573cb6869df680fa42552e27b1a6bd2cd5a76c48b1660a41897dc30a0e53ba
f8353eb981e7fce8af5663a30b6ad844d44d7eda87ff717f85f0046e3c065985
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
35a9609805bde63b4e22255d365fc6a61724fcb9f8456899bb085b76f0160d5d
d00af7d1aa35864537045299a782f3b010d5fe3a7e40bbe04846a2baa07a93a3
75a2f037e46961ac9e70ac8a8d52f06b4b20786ac7ac596abbb039c6a2715430
d3c4f42060fe5520553f915832b413f6f8f0f55307646f86b44b150389069463
40cebb630f935210e93b1e5569a1181a0c19cee3c4c129550dece7add29f27b6
f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d
013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5
8b9ed7cbe84b68a9b190a2cfc34c605bc1e2f3851f8eeeb84d4313d8b42431ff
c9f0c595e62ee31b17e1b62cc7be551a1cd46c3395a282fead293a5033674328
046735ced511c1064c2ea51fe6fd55ea1dc5a2d19e608bea4c8df9f8f376a78d
29fc4ec2272e265faf58a71365d463e953c20dcfa192b6208a1fd6ddd25a7f11
4da4d8e83255158a09663b9da8faaecae3a0a9175571aee37567f224cb34e694
d100685c3e62fde73e33854186142c68d4fdab117a4c2eb11a1c73dc362a1277
81ed143389ad903c7669aa1da459fbda5b0d93a157ddddb7ddc1ff8e22b97e96
e762546dc786deba408a71f5cb8369a84e56e07c21e75ac56a4a7dad522b28af
878f318722d59f4bf5e617bf4daef2f12f539170f16d5b263d816a03b9d5107c
1ee774ec1cf70a9cbb1a383d7c7c61156308d936e070a0b8e726b9892dde2ca9
ae284655948354c6ed48e95cf2aaa058d376ed19d2aa69aa38eecea72ee2f576
6fce035d54888d7895091ecee886b64043cbcb5cdb410457411ae156a822973c
576f4658c5c58273967350871dfd6d60e64d54d772c812f8507de67d4784f6ff
03bc82a58bda7eff17320728048c0d37fa376a64f08504e7c0454b743790d5ac
1fb620b3a5fef04e16e34e800f05b3cb7cbad920b33c66d799d305ad15801224
dcb417103bd0f315ba7cd30f1eadfca56a56122caec7ce4afe96b410931f43e6
7bc7edf2f2fafaa8457fb596cbbcdedafd23544d75e739e777b73790965df6bb
584022a11fa25bc77ada9ec361c791001f8d8da848930b386f42841d9e0be7d6
93af04866fe94141664174864c6965777d7f78897a27ca858d6f79b653ca943a
23b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2
ae082792bb09ee973564e6e71c92f547fcbef3fd5d6c3b4f8e2172044cf2591e
496ba3f23ddaf5c1514228f1ca90b1de4392a159eaac3ecbd5fbe3fbb28f819f
bd0e1cfd8ac5fef73e78b0a784c11682ed8d3120e6293d7d87425e5cd65d91eb
e0b9c05954186f5d54bcaf95e425448540d4a0fdc6cac1a12899bda66e38ac37
3a4cfc46e94f08076d2ada85e0d51cf06695bfb54ad5f37c316c70d582839d15
94338a235c9207ba31032496ba04d39ae887a3155c15d57347307df2dfa16242
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
d613473068f000318d1015b85a0f49f9191263041ae8debcc7250876ae146304
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
cda34c7ddc45a0ac67f0f3745b91686c285bc86f108c5c2deb36c1c3a0fb5a4f
0876a062221ba67194143bb2b1fc83d87b22860cf5e8cff64239b4b9dc251d11
7fb1caac122f0f3640e234a54256f2a97b44bdd0881124191c352c7e797b7dc2
SH256 hash:
6acc5d6df27e7a7c84a02305b36188873a3fc0c9cefcbecb82af0c6a1609047c
MD5 hash:
20d04d15be1f8344803d537c208844a4
SHA1 hash:
965b5b2bad3428cb11b1988247b6c593d64e6a3e
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
SH256 hash:
394b5507dddd8151d944db8db8e9dd7857c62aecd21d0a700c8db57120db4c06
MD5 hash:
da28c284b5110506d152a9e70d877232
SHA1 hash:
5e17f5d853d07c274a82e5399e46419bb81dc7e0
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
Parent samples :
5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
SH256 hash:
a6e1d13c20fd6a43def32e4023d60443ba54a238c7af69fcbb06dc681a6b958f
MD5 hash:
393a76b8563912f3db11db2e23aa13f3
SHA1 hash:
210e55aa752a1b620c150535ed15705e51a3ebfb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
SH256 hash:
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
MD5 hash:
db416547d92e1f2179131d797be72cb8
SHA1 hash:
2d8d19b6654dd949837c1ba2d1974a8f3f58ddb0
Link:
https://www.unpac.me/results/5e97e230-377f-4845-9dfb-33c253626d0d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments