MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
SHA3-384 hash: 69399f0c883eb670df1475d3f2b09653d23924be102bb93892c4b2810e16d2c83a37bc89730ad4fc47eae97023a5134c
SHA1 hash: 7c19a802861bcb25b5f61abbaf51f2d2528a783c
MD5 hash: ceb2ca5a252cce1f0dda1c8631d316ba
humanhash: ten-harry-alanine-zulu
File name:f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
Download: download sample
Signature DarkCloud
Create hunting rule
File size:434'688 bytes
First seen:2023-09-04 06:03:53 UTC
Last seen:2023-09-04 06:38:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d02a240dba5725a7fc1488f5b3ec984e (3 x DarkCloud)
ssdeep 12288:aNs209hEet8Ut82TfIcOoIywhTswjYKkJj6GmZU:B2iEYAoIXhTsmYb6nZ
Threatray 172 similar samples on MalwareBazaar
TLSH T182943B17EA10712EF5A2C4F0EAD49217A8956D3A1268E827F7819F0935365D3ECF132F
TrID 45.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
15.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
14.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon dadcf4f4e8fcdc01 (3 x DarkCloud)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
Verdict:
Malicious activity
Analysis date:
2023-09-04 06:10:39 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/b222d654-b46e-48ba-991a-24bd6e5c0293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445936/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
hacktool lolbin packed shell32 stealer
Link:
https://www.filescan.io/uploads/64f5735b2a262962b792672d/reports/cb6d40e5-af3e-4e96-9f0b-dd77e3ebe211/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cafddc92-6dd0-4bac-b513-ab677436f9dd
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1302619
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45/
Threat name:
Win32.Trojan.DarkCloudStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 06:04:11 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ffb326355eowh7yh3mebqn5m6c3zmv3h74kouudfpnpewo7xrcq._file
Verdict:
malicious
Similar samples:
16329a763d15e6e2a873bf3c0ca87f5cbce617912ba840b2a375a65225f43b50
DarkCloud
46165206f430648e60c96434490576705decd79d2641b99110e277c7c2dad1d5
DarkCloud
62456d25e43ca60a3c6763d68a70b39d09138b56b287a40f95584b563ac5bb11
DarkCloud
665a45078b6796f4d7e116880d6b56daa965b7a7498da0c8169598177997a9db
DarkCloud
78b984255563f6e9fd26b210764ed39935bc6bb73258e417b2cd88f5b2c53399
DarkCloud
7d85fc44d14db757a98732f263d8000a5804ffc8c727db5a7ee405297547fcc2
DarkCloud
db8e8b79571753172812ca401f3baebabf3ddabd02c6be0dff616a618e06f783
DarkCloud
dc1b427e14256c296f347c6d55f257dc9fc744a170a9b9a5a327a22690b71d33
DarkCloud
e2156ff475b7949c41408fa558cb1db6fab7ea0d5696c3299d6d6ad9ff478bbf
DarkCloud
+ 162 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230904-gsljlaee93/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
DarkCloud
Unpacked files
SH256 hash:
f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45
MD5 hash:
ceb2ca5a252cce1f0dda1c8631d316ba
SHA1 hash:
7c19a802861bcb25b5f61abbaf51f2d2528a783c
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/d046a71d-c6f5-4cc3-bede-70287664abbe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f14a1debdbef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445936/

Comments