darkcloud | 0af86997d67c85c4d03e2d8b362a277f0bca5d09e2885e1a475ee4e009c1375e

General

Target

PAUL DETAIL.exe
Size

817KB
MD5

a7340ee7541332a86cd95f782951ebbe
SHA1

d4dc87a386f69898d1a385b19f6b08f881d5bc82
SHA256

19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b
SHA512

71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec
SSDEEP

12288:etXKAsTzmv/BSSe3YqLdylsJBqygC6vau:etXyk53eXJ6pygv

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Executes dropped EXE 1 IoCs

Processes:

sideris cyt 3.exe

pid process

1876 sideris cyt 3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAUL DETAIL.exe

description pid process target process

PID 2020 set thread context of 1508 2020 PAUL DETAIL.exe PAUL DETAIL.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1092 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PAUL DETAIL.exe

pid process

1508 PAUL DETAIL.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PAUL DETAIL.exe

pid process

1508 PAUL DETAIL.exe

pid	process
1876	sideris cyt 3.exe

description	pid	process	target process
PID 2020 set thread context of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe

pid	process
1092	schtasks.exe

pid	process
1508	PAUL DETAIL.exe

pid	process
1508	PAUL DETAIL.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

PAUL DETAIL.execmd.exetaskeng.exe

description	pid	process	target process
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 1508	2020	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2020 wrote to memory of 328	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 328	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 328	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 328	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 692	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 692	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 692	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 692	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 1792	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 1792	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 1792	2020	PAUL DETAIL.exe	cmd.exe
PID 2020 wrote to memory of 1792	2020	PAUL DETAIL.exe	cmd.exe
PID 692 wrote to memory of 1092	692	cmd.exe	schtasks.exe
PID 692 wrote to memory of 1092	692	cmd.exe	schtasks.exe
PID 692 wrote to memory of 1092	692	cmd.exe	schtasks.exe
PID 692 wrote to memory of 1092	692	cmd.exe	schtasks.exe
PID 1464 wrote to memory of 1876	1464	taskeng.exe	sideris cyt 3.exe
PID 1464 wrote to memory of 1876	1464	taskeng.exe	sideris cyt 3.exe
PID 1464 wrote to memory of 1876	1464	taskeng.exe	sideris cyt 3.exe
PID 1464 wrote to memory of 1876	1464	taskeng.exe	sideris cyt 3.exe

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 3"
2⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
2⤵
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {26CF098E-2564-4652-AFCF-316FFAAECD7B} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
2⤵
- Executes dropped EXE
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
memory/328-68-0x0000000000000000-mapping.dmp

Download
memory/692-69-0x0000000000000000-mapping.dmp

Download
memory/1092-71-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1508-63-0x000000000040312C-mapping.dmp

Download
memory/1508-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1508-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1508-57-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1508-72-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1508-56-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1792-70-0x0000000000000000-mapping.dmp

Download
memory/1876-74-0x0000000000000000-mapping.dmp

Download
memory/1876-76-0x0000000001380000-0x0000000001452000-memory.dmp

Filesize
840KB

Download
memory/2020-54-0x00000000011A0000-0x0000000001272000-memory.dmp

Filesize
840KB

Download
memory/2020-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads