darkcloud | 0af86997d67c85c4d03e2d8b362a277f0bca5d09e2885e1a475ee4e009c1375e

General

Target

PAUL DETAIL.exe
Size

817KB
MD5

a7340ee7541332a86cd95f782951ebbe
SHA1

d4dc87a386f69898d1a385b19f6b08f881d5bc82
SHA256

19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b
SHA512

71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec
SSDEEP

12288:etXKAsTzmv/BSSe3YqLdylsJBqygC6vau:etXyk53eXJ6pygv

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Executes dropped EXE 3 IoCs

Processes:

sideris cyt 3.exesideris cyt 3.exesideris cyt 3.exe

pid process

4776 sideris cyt 3.exe
2388 sideris cyt 3.exe
1056 sideris cyt 3.exe

pid	process
4776	sideris cyt 3.exe
2388	sideris cyt 3.exe
1056	sideris cyt 3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PAUL DETAIL.exesideris cyt 3.exe

description	pid	process	target process
PID 2176 set thread context of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 4776 set thread context of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4420 schtasks.exe
4684 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PAUL DETAIL.exe

pid process

4584 PAUL DETAIL.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PAUL DETAIL.exe

pid process

4584 PAUL DETAIL.exe

pid	process
4420	schtasks.exe
4684	schtasks.exe

pid	process
4584	PAUL DETAIL.exe

pid	process
4584	PAUL DETAIL.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

PAUL DETAIL.execmd.exesideris cyt 3.execmd.exe

description	pid	process	target process
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4584	2176	PAUL DETAIL.exe	PAUL DETAIL.exe
PID 2176 wrote to memory of 4280	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 4280	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 4280	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3228	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3228	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3228	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3904	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3904	2176	PAUL DETAIL.exe	cmd.exe
PID 2176 wrote to memory of 3904	2176	PAUL DETAIL.exe	cmd.exe
PID 3228 wrote to memory of 4420	3228	cmd.exe	schtasks.exe
PID 3228 wrote to memory of 4420	3228	cmd.exe	schtasks.exe
PID 3228 wrote to memory of 4420	3228	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 2388	4776	sideris cyt 3.exe	sideris cyt 3.exe
PID 4776 wrote to memory of 4448	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 4448	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 4448	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 4924	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 4924	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 4924	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 544	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 544	4776	sideris cyt 3.exe	cmd.exe
PID 4776 wrote to memory of 544	4776	sideris cyt 3.exe	cmd.exe
PID 4924 wrote to memory of 4684	4924	cmd.exe	schtasks.exe
PID 4924 wrote to memory of 4684	4924	cmd.exe	schtasks.exe
PID 4924 wrote to memory of 4684	4924	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 3"
2⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL.exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
2⤵
PID:3904

C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 3"
2⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
2⤵
PID:544

C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe"
1⤵
- Executes dropped EXE
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sideris cyt 3.exe.log

Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 3\sideris cyt 3.exe

Filesize
817KB

MD5
a7340ee7541332a86cd95f782951ebbe

SHA1
d4dc87a386f69898d1a385b19f6b08f881d5bc82

SHA256
19b08a3d82aa6d41ab851f4cadcbe9199cfcf0f931076ea24601675630ac207b

SHA512
71495abe79a0bd3dcb4feb59c1707672bb3a9cd4174401843927101135c74324f4e601badbd110bf0e3dec64a3ea76a0447de7fe1f29d7623afba43260a50eec

Download Submit
memory/544-155-0x0000000000000000-mapping.dmp

Download
memory/2176-133-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/2176-134-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/2176-132-0x00000000003C0000-0x0000000000492000-memory.dmp

Filesize
840KB

Download
memory/2388-148-0x0000000000000000-mapping.dmp

Download
memory/3228-141-0x0000000000000000-mapping.dmp

Download
memory/3904-142-0x0000000000000000-mapping.dmp

Download
memory/4280-140-0x0000000000000000-mapping.dmp

Download
memory/4420-143-0x0000000000000000-mapping.dmp

Download
memory/4448-153-0x0000000000000000-mapping.dmp

Download
memory/4584-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4584-145-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4584-136-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4584-135-0x0000000000000000-mapping.dmp

Download
memory/4684-156-0x0000000000000000-mapping.dmp

Download
memory/4924-154-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads