MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
SHA3-384 hash: 5ce2936d4e39861af7fe91488431d84da3c3008006126a420ab0bb72687830fe9bbf7ad6ac01a0c83c73fe97aca413ae
SHA1 hash: 98886e7ee2f7eb739b07c5e5ef9eb6d1d5b809da
MD5 hash: 6429377e88fb78fec0c3d641308d4281
humanhash: johnny-artist-artist-wisconsin
File name:Swift Email Bildirimi 1.pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'258'496 bytes
First seen:2026-05-04 17:52:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'883 x AgentTesla, 19'801 x Formbook, 12'306 x SnakeKeylogger)
ssdeep 24576:e4DWWGCo6VjWm7AJoF4Z9sbiUNU3HGPcnk5PC+Xf93h3ZBf:e4SWhVjX7CoF5iUo+cnk5Phv93JD
Threatray 7 similar samples on MalwareBazaar
TLSH T138451218225AD803C4D21FB40971E3F01778CE8DA526E313AFFABEDBB57A6552D48352
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
CH CH
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-04 17:55:37 UTC
Tags:
evasion darkcloud stealer auto-reg telegram upx
Link:
https://app.any.run/tasks/dc86522b-e1a4-4a9b-a0f0-e7fef96e1f07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64493/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3222.2598.31235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Setting a single autorun event
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt masquerade obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/69f8dce3df14f1cb2ac9d1c2/reports/7a9b3995-28a2-4e41-be82-afdf96b97d4d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-04T05:47:00Z UTC
Last seen:
2026-05-05T15:08:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Convagent.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen not-a-virus:PDM:AdWare.Win32.Vopak.a HackTool.ReconScan.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ee847ad-3ee7-4446-89e7-02f3619918d1
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1908240
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Double Extension File Execution
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.19 Win 32 Exe x86
Link:
https://app.malva.re/file/6429377e88fb78fec0c3d641308d4281
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2026-05-04 12:18:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yhiaebdtrwnbg4mhz3tm35qxwagqiwhytybskvglc6hsz77tpaa._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
4cbc79702cdc46953a14237c27ab6a81c8e46895acff1119a93a9912b4281065
DarkCloud
a312f9d970cce223d5ae325b879331f6c81b8449c8ce11e702d41f74a82e9f6a
DarkCloud
error
DarkCloud
f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
DarkCloud
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/260504-wf2glsdt8j/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0
MD5 hash:
6429377e88fb78fec0c3d641308d4281
SHA1 hash:
98886e7ee2f7eb739b07c5e5ef9eb6d1d5b809da
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
SH256 hash:
bfbc0210fe4c6138bc58e57277412fb93a3b4b8921fcbbfdeae939ab5a355d91
MD5 hash:
f5fbbbacab5170c46b2e11af8c253f4a
SHA1 hash:
03018cc48ca5ba3f23def183c14456939bdf4106
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
SH256 hash:
daaf19b3083ab6b8d15ee1ff07d98e3e505ff8ba6cebdd9eb769a2a0e81ca341
MD5 hash:
5fce1a72d78481c5fdc9f1a5064ed20b
SHA1 hash:
113e8e2e4437651d616d48d884cf1f5ab1e77cf8
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
SH256 hash:
7a195d8e2aae5876fc7211cf2d7452bcf1aac8cec5c91fdc073fcc09f51c579d
MD5 hash:
9a866133961de977652439aa17c0b7f8
SHA1 hash:
4850c179d54d9cfd0cfd78e2c8c6d029cd4ddf4a
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
SH256 hash:
10d329d21caaa130466427ff625d0bfae6b1f1d26adfefd9f81f8a63f85b88d0
MD5 hash:
8593639303535cbb65d16fdb01b61e5b
SHA1 hash:
5c91fc8aaa38114227fd329bc9159e5eca903f23
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/3fbbb836-92e1-47e6-a45f-494a555df836/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f60e8010239c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe f60e8010239c6cd09b8c3e77366fb0bd806822c7c4f0192aa658bc7967ff9bc0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/64493/

Comments