MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450
SHA3-384 hash: 55a7af19e377a35d9ac0bdca1a792892d3b890350de404c0a92c87be2ff6def9a81a994d214d7787375b0969e0eab37d
SHA1 hash: 149cc1cd047994354c0188e8e3ed8369376a8efe
MD5 hash: 456b73d6317cb5a57fe14e89f9b96408
humanhash: georgia-maryland-juliet-three
File name:PO.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'391'104 bytes
First seen:2023-07-25 10:48:42 UTC
Last seen:2023-07-31 06:54:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:ranliXrYoAUdjb+CWzRPs71onMd5RhxnxhMHwMdo:elarYJUdvjiJlMdTD3MQ
Threatray 508 similar samples on MalwareBazaar
TLSH T19555E0D83240B6BFCC0689B1DA7F8FA49A307C6753DBC25294133399597D686DE038E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d0d8d4d4d8d0e0 (7 x DarkCloud, 5 x AgentTesla, 4 x Formbook)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
No threats detected
Analysis date:
2023-07-25 11:00:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d93a3064-d70c-40ae-acd5-3c0515114644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/432140/
Detection(s):
Win.Trojan.Generickdz-9902201-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3052656e-09d3-429c-b698-355d5a4d3240
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279066
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1279066 Sample: PO.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 61 mail.hydrabd.com 2->61 63 hydrabd.com 2->63 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 6 other signatures 2->85 8 PO.exe 7 2->8         started        12 vktRISP.exe 5 2->12         started        14 tattooist.exe 2->14         started        16 tattooist.exe 2->16         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\vktRISP.exe, PE32 8->53 dropped 55 C:\Users\user\...\vktRISP.exe:Zone.Identifier, ASCII 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp6E3F.tmp, XML 8->57 dropped 59 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 8->59 dropped 87 Detected unpacking (changes PE section rights) 8->87 89 Detected unpacking (overwrites its own PE header) 8->89 91 May check the online IP address of the machine 8->91 103 2 other signatures 8->103 18 PO.exe 34 8->18         started        22 powershell.exe 19 8->22         started        37 2 other processes 8->37 93 Antivirus detection for dropped file 12->93 95 Multi AV Scanner detection for dropped file 12->95 97 Machine Learning detection for dropped file 12->97 24 vktRISP.exe 12->24         started        26 schtasks.exe 12->26         started        99 Writes or reads registry keys via WMI 14->99 101 Injects a PE file into a foreign processes 14->101 28 tattooist.exe 14->28         started        30 schtasks.exe 14->30         started        32 tattooist.exe 16->32         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 65 hydrabd.com 192.185.143.9, 465, 49693, 49698 UNIFIEDLAYER-AS-1US United States 18->65 67 mail.hydrabd.com 18->67 75 2 other IPs or domains 18->75 51 C:\Users\user\AppData\...\tattooist.exe, PE32 18->51 dropped 39 conhost.exe 22->39         started        69 mail.hydrabd.com 24->69 41 conhost.exe 26->41         started        71 mail.hydrabd.com 28->71 43 conhost.exe 30->43         started        73 mail.hydrabd.com 32->73 77 Tries to harvest and steal browser information (history, passwords, etc) 32->77 45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 03:28:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dpfofgoqpa3e6hrijvbtbcq5hxbvfh5v36xpvic5soacdgegria._file
Verdict:
malicious
Similar samples:
1a40316f6c5b2edf199b2ea9d5b00cc4ae5547a29b6aa08caadd5ed53a007521
DarkCloud
45bebb479e4a722bfb0c85d398ff1c0372e1dc28acf05ecd21cf3a548cb4b79b
DarkCloud
5516bb55a913a6b1603ef303e563b22ede0bf361be46f37f3b22f66670079790
DarkCloud
62b09bf1931ef9545b10b0bae3eb45a9896fec6add45690ddf95074378e71528
DarkCloud
830b93cdc24c1d75ee7ba0afcaddb58690f9d3ff96ded60ea5657768b188d301
DarkCloud
9d31c9cc465643be87d49f2b8be2a4500e8f5ab048e6327f407942fd8f02da53
DarkCloud
b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
DarkCloud
bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
DarkCloud
f97e82a367b6de783c72f569e62c0900aefda467725c425bc6e122db7fbe1db9
DarkCloud
fd36434871eb55ee3d9f78ee0fd63f26c915f8d5a7d3848ef6ffddcac75893cc
DarkCloud
+ 498 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230725-mwpnbacb69/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
SH256 hash:
e96df37e8e05053ec3385267c264c7f2a14a85c2e819a4f2db430e51efe698d6
MD5 hash:
4421ff5915efc487527e95f3dbe1f65d
SHA1 hash:
1ffa66f379fa1d7c2336173518bed42c64f0216d
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
SH256 hash:
676829118d5c4a198ea8b14e84793600f650f2f76016b1738b68c7c3d76463c0
MD5 hash:
157ab5a0ebfc6a57c277a719a33f6f92
SHA1 hash:
bdc798a802746daf7e89f22648da2a0a3f9877a0
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
SH256 hash:
5ac68d75313d2e2168d903789d2e6abb19ebb84762a4c784cb9f159a4ac9acef
MD5 hash:
258aa1bb26d9a8edddf72d0011ed10f6
SHA1 hash:
6cacd79ac74db5776317a87a3646955b1e13dcf3
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
SH256 hash:
f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450
MD5 hash:
456b73d6317cb5a57fe14e89f9b96408
SHA1 hash:
149cc1cd047994354c0188e8e3ed8369376a8efe
Link:
https://www.unpac.me/results/0f78ae39-1b21-4c3b-9c9a-e306f02fb609/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0de5714ce83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe f0de5714ce83c1b278f1426a198450e9ee1a94fdaefd77d502ec9c010cc43450

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/432140/

Comments