MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7
SHA3-384 hash: 1c5f917fe0c43364f8c16c259a198827eb3c1e0b6b31a4ce7c81566ac3fecd6dfd2965a7364952900eaea1cfa05da741
SHA1 hash: 804260ea40ee144de6564562734cd5cd49b97897
MD5 hash: c52ed5109267688edaa351fd0f025f54
humanhash: diet-missouri-wolfram-pennsylvania
File name:pagos TT (Ref 0180066743).vbs
Download: download sample
Signature DarkCloud
Create hunting rule
File size:441'710 bytes
First seen:2022-12-24 08:30:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:DznG7CmV4H/1MLi8m5Sgc7RS9l3dTnt5n9avG7zKK92rGZN/B5Zh5Y/1EsGGmsHP:DznG7Cm8SgE2l6
Threatray 128 similar samples on MalwareBazaar
TLSH T1A394BC6870DA5A8050C2398B8FAFF56897BBB3E4063B1D8A72CC570787EF900D4557E8
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:aggah DarkCloud hagga vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.7619.23056.21878.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63a6b8c9657c03f3643103ad/reports/339cc313-b935-485b-b141-eb858ff866ab/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140373
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
VBScript performs obfuscated calls to suspicious functions
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DarkCloud
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7/
Threat name:
Script.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2022-12-24 00:59:29 UTC
File Type:
Text (VBS)
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75qihj2rqukussmd7nxgvqx3qkmosu63xbt2g7hqbscqzdjhw3dq._file
Verdict:
malicious
Similar samples:
21bd51648717ab3722e7bedb6e1f0c6ae28d33db671f1ce93f277c3510133588
DarkCloud
24c5426690acc6f57cf3dc0ba4b5f0f4ce52c26df671150b40f65d7d0e905def
DarkCloud
39196739566b5a1be5ebabd0a15efc5a3d94a3f39d0e61862b116245e94944a1
DarkCloud
4826ace8391d200aa066ceb967aad44fc540670826c59538aa0df039d2c2421c
DarkCloud
52db0eced0eb323a27b9f1c3796c7d042e8384b52107c68309d1d9301274bdcf
DarkCloud
886d5ce01fafa59fba66fafbdc5b5e2bec25e80b8ba59408d7802ce2141edd3d
DarkCloud
c598dce25f2988e75ba2c54f6b229f6f0eb59725d80570ff43c7d8dccf3a62b1
DarkCloud
d36acf1084877e0d4b0fdc1daec75c35da67585c50ae24b5877fc99caab64e61
DarkCloud
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221224-keqg6sch91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://4.204.233.44/DLL/NoStartUp.ppam
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Visual Basic Script (vbs) vbs ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments