MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
SHA3-384 hash: c70759715f7de129de90fe74fc64512fe075f947afb35f00cc4c783992fe2b2c101486309b5f03b6af9012759e24e220
SHA1 hash: cca8afa0fbbf985ac6a0921e2fda9bb04028cf22
MD5 hash: 972bd0c53dbe2fdfcfbf0d34165fc879
humanhash: social-salami-bravo-november
File name:invoice.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'025'024 bytes
First seen:2023-04-05 13:35:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:RAimXBHJyYdjgIRrVVyAsAEuAedSwDInbFy7zf+:6yYdjgIRr+A5NJdSwoE76
Threatray 127 similar samples on MalwareBazaar
TLSH T1C425F114E2CE8649C405B23EA5D7D2BC6322DD99E966CBC37BC9BD8FB2BAFC41045141
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-05 13:36:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39a5554e-83d2-4325-9afd-992aaff6597a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380346/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642d79425df5c94ab9b87b32/reports/61e6145f-1360-48b1-bac3-2102fd774e79/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f5aa916-3438-4bdd-8313-20951497b1b0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209050
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841966 Sample: invoice.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 .NET source code contains potential unpacker 2->34 36 3 other signatures 2->36 6 forrue.exe 3 2->6         started        9 invoice.exe 3 2->9         started        12 forrue.exe 2 2->12         started        process3 file4 38 Multi AV Scanner detection for dropped file 6->38 40 Machine Learning detection for dropped file 6->40 42 Writes or reads registry keys via WMI 6->42 14 forrue.exe 3 6->14         started        17 forrue.exe 6->17         started        28 C:\Users\user\AppData\...\invoice.exe.log, ASCII 9->28 dropped 44 Injects a PE file into a foreign processes 9->44 19 invoice.exe 1 5 9->19         started        22 invoice.exe 9->22         started        24 forrue.exe 1 12->24         started        signatures5 process6 file7 46 Tries to harvest and steal browser information (history, passwords, etc) 14->46 48 Tries to steal Crypto Currency Wallets 14->48 26 C:\Users\user\AppData\Roaming\...\forrue.exe, PE32 19->26 dropped signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 16:57:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cruiuzltsg3unvtkhhhkk5dlbj6mjnmmj6sggu4bs6g3oma6alq._file
Verdict:
malicious
Similar samples:
174ed156f6f1c67a8b09b72ab463b69c2d9aae053a5dffb6d4630bdea6308153
DarkCloud
5f8e2b838a675ecd820088d6c390a7f77cfb86f866648767ef51da2c3481b013
DarkCloud
630f2becb05a49664975e0561dd7f4a45690c3cc1c039816c5b1961caf0c2980
DarkCloud
97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d
DarkCloud
a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
DarkCloud
a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
DarkCloud
cc98b4e9c790b478e08cc3872bb2db721c32f6e440cdb3cd7bbb938cd21fba59
DarkCloud
d9fb5f10465038710b0e96b46a5e97d2797667c6c07c5246a4d9f49233055ed4
DarkCloud
de19b88c284dcc4b18ea43b7e4dc96679ea39dda05016869cfd2c0aac3132a1c
DarkCloud
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-qv8lksha5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
98df89d13e75ce6c1210e37d7e6838d7f1cbebec0494ca1155e31955c327eaf8
MD5 hash:
26490a0d7e41898832d9e5d794d5c83e
SHA1 hash:
fd96743ac03a5716a5907c0e8ab617482e3e3647
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
f5fd74fd071b2051ff5ca2fabab4c062f7cf4abdf8032a9c706ae4bf3b24106c
MD5 hash:
d9f6edf98cba8919b12e301a499e3d15
SHA1 hash:
15044b4f18122b28c03b17ab14c2ad2fb06de51b
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
64766dccf31959f82b64a8a3d32c5e2d3a9a9e396182fc4585a10ba0adcbbd3b
MD5 hash:
1475ae99116f934716ec683954fe29fd
SHA1 hash:
0864b979ae6a3337cd61a223f4ee81024fecf10b
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
SH256 hash:
f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
MD5 hash:
972bd0c53dbe2fdfcfbf0d34165fc879
SHA1 hash:
cca8afa0fbbf985ac6a0921e2fda9bb04028cf22
Link:
https://www.unpac.me/results/09d7195a-13db-41c8-950e-3d02b49434b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380346/

Comments