darkcloud | 579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67

Analysis

max time kernel
156s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Terfasteners - SOA.exe
Size

781KB
MD5

f49064dd35a37ea6528be4e213c878fa
SHA1

974210200d6350cae4b8a240435afae4d6885b9e
SHA256

579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67
SHA512

48a0ecef1724e416c1b01b73b239ceb0acbac15d9253115e6cf073401bffae3d67968235b1f98f3b61ef47b47cf59072594a04ae6a4bac88652ed952846e14f3
SSDEEP

6144:BNAQ3m8L4Io6RgCasuGhBI/j1Qul/VIf8/lG+w4FNqAhvCvPybHVoUxK1WFhgAk/:T3mztCasviNlzlG+bnqAl9HCZ1vA

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 3 IoCs

pid	Process
5104	Terfasteners - SOA.exe
4400	Terfasteners - SOA.exe
4128	Terfasteners - SOA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 3224	4740	Terfasteners - SOA.exe	88
PID 5104 set thread context of 4400	5104	Terfasteners - SOA.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2400	schtasks.exe
8	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3224	Terfasteners - SOA.exe
4400	Terfasteners - SOA.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 3224	4740	Terfasteners - SOA.exe	88
PID 4740 wrote to memory of 4052	4740	Terfasteners - SOA.exe	89
PID 4740 wrote to memory of 4052	4740	Terfasteners - SOA.exe	89
PID 4740 wrote to memory of 4052	4740	Terfasteners - SOA.exe	89
PID 4740 wrote to memory of 1416	4740	Terfasteners - SOA.exe	91
PID 4740 wrote to memory of 1416	4740	Terfasteners - SOA.exe	91
PID 4740 wrote to memory of 1416	4740	Terfasteners - SOA.exe	91
PID 4740 wrote to memory of 4192	4740	Terfasteners - SOA.exe	93
PID 4740 wrote to memory of 4192	4740	Terfasteners - SOA.exe	93
PID 4740 wrote to memory of 4192	4740	Terfasteners - SOA.exe	93
PID 1416 wrote to memory of 8	1416	cmd.exe	95
PID 1416 wrote to memory of 8	1416	cmd.exe	95
PID 1416 wrote to memory of 8	1416	cmd.exe	95
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 4400	5104	Terfasteners - SOA.exe	97
PID 5104 wrote to memory of 3996	5104	Terfasteners - SOA.exe	98
PID 5104 wrote to memory of 3996	5104	Terfasteners - SOA.exe	98
PID 5104 wrote to memory of 3996	5104	Terfasteners - SOA.exe	98
PID 5104 wrote to memory of 3144	5104	Terfasteners - SOA.exe	99
PID 5104 wrote to memory of 3144	5104	Terfasteners - SOA.exe	99
PID 5104 wrote to memory of 3144	5104	Terfasteners - SOA.exe	99
PID 5104 wrote to memory of 2468	5104	Terfasteners - SOA.exe	102
PID 5104 wrote to memory of 2468	5104	Terfasteners - SOA.exe	102
PID 5104 wrote to memory of 2468	5104	Terfasteners - SOA.exe	102
PID 3144 wrote to memory of 2400	3144	cmd.exe	104
PID 3144 wrote to memory of 2400	3144	cmd.exe	104
PID 3144 wrote to memory of 2400	3144	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Terfasteners - SOA.exe
"C:\Users\Admin\AppData\Local\Temp\Terfasteners - SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\Terfasteners - SOA.exe
  "C:\Users\Admin\AppData\Local\Temp\Terfasteners - SOA.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA"
  2⤵
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:8
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Terfasteners - SOA.exe" "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe"
  2⤵
  PID:4192

C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe
"C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe
  "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4400
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA"
  2⤵
  PID:3996
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe" "C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe"
  2⤵
  PID:2468

C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe
"C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe"
1⤵
- Executes dropped EXE
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Terfasteners - SOA.exe.log

Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe

Filesize
781KB

MD5
f49064dd35a37ea6528be4e213c878fa

SHA1
974210200d6350cae4b8a240435afae4d6885b9e

SHA256
579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67

SHA512
48a0ecef1724e416c1b01b73b239ceb0acbac15d9253115e6cf073401bffae3d67968235b1f98f3b61ef47b47cf59072594a04ae6a4bac88652ed952846e14f3

Download Submit
C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe

Filesize
781KB

MD5
f49064dd35a37ea6528be4e213c878fa

SHA1
974210200d6350cae4b8a240435afae4d6885b9e

SHA256
579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67

SHA512
48a0ecef1724e416c1b01b73b239ceb0acbac15d9253115e6cf073401bffae3d67968235b1f98f3b61ef47b47cf59072594a04ae6a4bac88652ed952846e14f3

Download Submit
C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe

Filesize
781KB

MD5
f49064dd35a37ea6528be4e213c878fa

SHA1
974210200d6350cae4b8a240435afae4d6885b9e

SHA256
579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67

SHA512
48a0ecef1724e416c1b01b73b239ceb0acbac15d9253115e6cf073401bffae3d67968235b1f98f3b61ef47b47cf59072594a04ae6a4bac88652ed952846e14f3

Download Submit
C:\Users\Admin\AppData\Roaming\Terfasteners - SOA\Terfasteners - SOA.exe

Filesize
781KB

MD5
f49064dd35a37ea6528be4e213c878fa

SHA1
974210200d6350cae4b8a240435afae4d6885b9e

SHA256
579c6f487fea9a0c670699c79188429336c8682b217f35a3a329bce06526cf67

SHA512
48a0ecef1724e416c1b01b73b239ceb0acbac15d9253115e6cf073401bffae3d67968235b1f98f3b61ef47b47cf59072594a04ae6a4bac88652ed952846e14f3

Download Submit
memory/8-144-0x0000000000000000-mapping.dmp

Download
memory/1416-141-0x0000000000000000-mapping.dmp

Download
memory/2400-159-0x0000000000000000-mapping.dmp

Download
memory/2468-158-0x0000000000000000-mapping.dmp

Download
memory/3144-157-0x0000000000000000-mapping.dmp

Download
memory/3224-138-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3224-145-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3224-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3224-135-0x0000000000000000-mapping.dmp

Download
memory/3996-153-0x0000000000000000-mapping.dmp

Download
memory/4052-140-0x0000000000000000-mapping.dmp

Download
memory/4192-142-0x0000000000000000-mapping.dmp

Download
memory/4400-149-0x0000000000000000-mapping.dmp

Download
memory/4400-160-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4400-161-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4740-132-0x0000000000D50000-0x0000000000E1A000-memory.dmp

Filesize
808KB

Download
memory/4740-134-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4740-133-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads