MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
SHA3-384 hash: 070d72e45098e21e8532a6ee901f8d5c10828171000d6d49fbba0a7288a5bb3be35fde2e6ee50527ec7e9eda6673d8f5
SHA1 hash: 49122635bce1605812cd9e32809f733ab4848efd
MD5 hash: 396c40ce0becf3d1583fd62c5965d18a
humanhash: princess-wisconsin-triple-nineteen
File name:swift payment.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:434'165 bytes
First seen:2022-12-18 00:17:42 UTC
Last seen:2022-12-18 01:27:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 12288:Hh1blAdl7LsII684XkR9GIUDiC6BM4b5Pxxkd7:HbJg7LsIAyN541pK
Threatray 75 similar samples on MalwareBazaar
TLSH T15C9423D478E6897BE26690314FB6990BC3BE061A089E6E5F47246FEF0437AC74A053D1
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
swift payment.exe
Verdict:
Malicious activity
Analysis date:
2022-12-18 00:18:23 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2ac2a4ea-270b-4282-9685-26255fb8e9c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347452/
Detection(s):
Sanesecurity.Rogue.0hr.20221217-1133.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20e5354d-c872-4f1e-94db-6436113f4f44
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136220
Signature
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768949 Sample: swift payment.exe Startdate: 18/12/2022 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected DarkCloud 2->44 46 Yara detected Generic Dropper 2->46 48 2 other signatures 2->48 7 swift payment.exe 19 2->7         started        10 inecgkmnie.exe 2->10         started        13 inecgkmnie.exe 2->13         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\oxixz.exe, PE32 7->30 dropped 15 oxixz.exe 1 2 7->15         started        56 Multi AV Scanner detection for dropped file 10->56 19 WerFault.exe 10 10->19         started        21 WerFault.exe 4 10 13->21         started        signatures5 process6 file7 32 C:\Users\user\AppData\...\inecgkmnie.exe, PE32 15->32 dropped 34 Multi AV Scanner detection for dropped file 15->34 36 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->36 38 Maps a DLL or memory area into another process 15->38 40 Writes or reads registry keys via WMI 15->40 23 oxixz.exe 2 15->23         started        26 svchost.exe 3 15->26         started        28 oxixz.exe 15->28         started        signatures8 process9 signatures10 50 Tries to harvest and steal browser information (history, passwords, etc) 23->50 52 Tries to steal Crypto Currency Wallets 23->52 54 Query firmware table information (likely to detect VMs) 26->54
Gathering data
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 12:57:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62oxmaitj64uui5te47nlhefxvnxqr7wcluhr4nvybdr4d5w47xa._file
Verdict:
malicious
Similar samples:
2846ca6292a8d985cc30fd1a8b6cd626da21f2dd6e4b3138229a1ada9f2f79b9
DarkCloud
384f8a72e54ef9ae93b8aaef4915a6bda260a8abda00c57bb38f2766509cdc48
DarkCloud
78209b6f468f6077142e45f3a21806bd36c47897d63124439b85d73aeffd028b
DarkCloud
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
DarkCloud
8beb70d99ea56763a805fe4152ad7c1ad8237c67fa8c27bd4fad4d1ee265e46a
DarkCloud
bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b
DarkCloud
e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
DarkCloud
ebbad6fe23e96ccf9e5667e59d87dab75add4b9c6bb5340b5143b1c0eb3db1a3
DarkCloud
fb27645c5ba18a9e7e61876df54e4220c89cfdea419892dc08c32a9a7fe9b443
DarkCloud
ffda7e756dd083ce87c1dc9b9160e8223731dc35cdbf398415e8f1d8c38f9365
DarkCloud
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221218-allsfsda8s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/06648a78-4963-4d7e-8fe9-3c4520e2248a
Unpacked files
SH256 hash:
740063e2e2cde1f834326c82ee9887fc1e2b320bcdd969e92a1eecf8f12d9d05
MD5 hash:
a3a579b45b0f3f77ee3351e9fa81d81f
SHA1 hash:
eefceb29190c6a0d86d9d8c61523ebe9ef7ca35a
Link:
https://www.unpac.me/results/e3a7c14c-6643-46ff-9de2-4b2667b2fbfd/
SH256 hash:
220a93f48047a036d78e29d60daffeff544726cd22f853a0cfa7b22fc276e81a
MD5 hash:
f4b91a9f7c761e860d57e8b1559c29fe
SHA1 hash:
c764f1cddfac4fa6cb1fce9509c5e6d6507563ee
Link:
https://www.unpac.me/results/e3a7c14c-6643-46ff-9de2-4b2667b2fbfd/
SH256 hash:
eb50faebf380952e573fe0cbd677c4421ddb6f20b6b0de71f31c9e2ef26fc709
MD5 hash:
b890246948df36c7c2ae4147d1556f17
SHA1 hash:
4b6d9c64703df26d93bbb9ea74e7445d40f276dc
Link:
https://www.unpac.me/results/e3a7c14c-6643-46ff-9de2-4b2667b2fbfd/
SH256 hash:
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
MD5 hash:
396c40ce0becf3d1583fd62c5965d18a
SHA1 hash:
49122635bce1605812cd9e32809f733ab4848efd
Link:
https://www.unpac.me/results/e3a7c14c-6643-46ff-9de2-4b2667b2fbfd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/347452/

Comments