MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582
SHA3-384 hash: 18742da2ebf58ae5038436a1801ab8b386f45e5e4e4e5fb671a7ae5b78073175b625f0dfd52d4a4b56185c5e706d4bb7
SHA1 hash: 3e1c1f1b68a6da52b9e96e2d8c83b4811db9332b
MD5 hash: a6c419d18355bad7322bdb7cf4eb9e13
humanhash: yellow-alaska-hot-berlin
File name:PO.js
Download: download sample
Signature DarkCloud
Create hunting rule
File size:2'357 bytes
First seen:2025-07-08 08:49:20 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:52ibcE5H3LKpQuXK1Wm6TEe55cl5zXlcT9MQtSldslFTsSAk/SyBrgsB:5ZLKpc1WmSLu3qT9M8SnsrTsSAmSoHB
TLSH T19B41A2CF2C04A0D2039E53FB3F5B980AC210DC89A25BE080E651B65C7E30B726D6BB20
Magika javascript
Reporter cocaman
Tags:DarkCloud js

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686cdb92900df8e7f868748f
Tags:
dropper extens spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated opendir opendir reconnaissance
Link:
https://www.filescan.io/uploads/686cdbe50737c4165a944c63/reports/839fc12c-c7b3-4f91-8e75-8e12e543a92c/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1730750
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Benign windows process drops PE files
Found malware configuration
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1730750 Sample: PO.js Startdate: 08/07/2025 Architecture: WINDOWS Score: 100 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 11 other signatures 2->40 7 wscript.exe 2 19 2->7         started        12 OUTLOOK.EXE 172 45 2->12         started        process3 dnsIp4 26 198.55.98.29, 49715, 80 ASN-QUADRANET-GLOBALUS United States 7->26 20 C:\Users\user\AppData\Local\...\RlnZQA57.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\Temp\...\DDD.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\IVCz6mBC.zip, Zip 7->24 dropped 42 System process connects to network (likely due to code injection or exploit) 7->42 44 Benign windows process drops PE files 7->44 46 JScript performs obfuscated calls to suspicious functions 7->46 48 2 other signatures 7->48 14 RlnZQA57.exe 1 7->14         started        file5 signatures6 process7 signatures8 50 Multi AV Scanner detection for dropped file 14->50 52 Writes to foreign memory regions 14->52 54 Allocates memory in foreign processes 14->54 56 Injects a PE file into a foreign processes 14->56 17 RegAsm.exe 4 14->17         started        process9 signatures10 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->28 30 Tries to steal Mail credentials (via file / registry access) 17->30 32 Tries to harvest and steal browser information (history, passwords, etc) 17->32
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582/
Verdict:
Malicious
Threat:
Script-JS.Downloader.AgentTesla
Link:
https://tip.neiki.dev/file/f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582
Threat name:
Script-JS.Downloader.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-07-08 05:12:30 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pbupcaxdqtc7tjy3mtp2ut335th4g6r7alsorexuy2wst4rewba._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
error
DarkCloud
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution spyware stealer
Link:
https://tria.ge/reports/250708-kq77csvyct/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
DarkCloud
Darkcloud family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

7z 24af0cb19761d1781dc4782e1de8bdd3e8f2673f4386e88bd65c95e9c5f24028

DarkCloud

Java Script (JS) js f3c34788171c262fcd38db26fd527bdf667e1bd1f817274497a635694f912582

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 24af0cb19761d1781dc4782e1de8bdd3e8f2673f4386e88bd65c95e9c5f24028
  
Dropped by
MD5 3a6febe5ff7a6c06e264fc734985ca94

Comments