darkcloud | 88d3e6ab24b2309b81b9610ecb527390b5ad2ec6419e50ef357840e86f00b0bc

General

Target

PAUL DETAIL's..exe
Size

817KB
MD5

c5d2095e8e1f8e9af9fd19ba2c885de4
SHA1

db7c115bec56a8a3672d32896db2375af842ddee
SHA256

2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c
SHA512

74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66
SSDEEP

6144:SqyVDmmHOegxgaoJ6rVyFHp9pK3HseCSamdVFWGmOWCouHohuC9OJ+F8Y/WGMXEg:IMMO70JMmremUVF3pWfYJMlTLGdGtF

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Executes dropped EXE 3 IoCs

Processes:

sideris cyt 2.exesideris cyt 2.exesideris cyt 2.exe

pid process

2244 sideris cyt 2.exe
1296 sideris cyt 2.exe
4140 sideris cyt 2.exe

pid	process
2244	sideris cyt 2.exe
1296	sideris cyt 2.exe
4140	sideris cyt 2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PAUL DETAIL's..exesideris cyt 2.exe

description	pid	process	target process
PID 1516 set thread context of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 2244 set thread context of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5104 schtasks.exe
4584 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

PAUL DETAIL's..exesideris cyt 2.exe

pid process

3244 PAUL DETAIL's..exe
1296 sideris cyt 2.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAUL DETAIL's..exesideris cyt 2.exe

pid process

3244 PAUL DETAIL's..exe
1296 sideris cyt 2.exe

pid	process
5104	schtasks.exe
4584	schtasks.exe

pid	process
3244	PAUL DETAIL's..exe
1296	sideris cyt 2.exe

pid	process
3244	PAUL DETAIL's..exe
1296	sideris cyt 2.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

PAUL DETAIL's..execmd.exesideris cyt 2.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3244	1516	PAUL DETAIL's..exe	PAUL DETAIL's..exe
PID 1516 wrote to memory of 3132	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 3132	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 3132	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1376	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1376	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1376	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1384	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1384	1516	PAUL DETAIL's..exe	cmd.exe
PID 1516 wrote to memory of 1384	1516	PAUL DETAIL's..exe	cmd.exe
PID 1376 wrote to memory of 5104	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 5104	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 5104	1376	cmd.exe	schtasks.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 1296	2244	sideris cyt 2.exe	sideris cyt 2.exe
PID 2244 wrote to memory of 4692	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 4692	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 4692	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 2556	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 2556	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 2556	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 396	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 396	2244	sideris cyt 2.exe	cmd.exe
PID 2244 wrote to memory of 396	2244	sideris cyt 2.exe	cmd.exe
PID 2556 wrote to memory of 4584	2556	cmd.exe	schtasks.exe
PID 2556 wrote to memory of 4584	2556	cmd.exe	schtasks.exe
PID 2556 wrote to memory of 4584	2556	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe
"C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 2"
2⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PAUL DETAIL's..exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
2⤵
PID:1384

C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sideris cyt 2"
2⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe" "C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
2⤵
PID:396

C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe
"C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe"
1⤵
- Executes dropped EXE
PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sideris cyt 2.exe.log

Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe

Filesize
817KB

MD5
c5d2095e8e1f8e9af9fd19ba2c885de4

SHA1
db7c115bec56a8a3672d32896db2375af842ddee

SHA256
2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

SHA512
74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe

Filesize
817KB

MD5
c5d2095e8e1f8e9af9fd19ba2c885de4

SHA1
db7c115bec56a8a3672d32896db2375af842ddee

SHA256
2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

SHA512
74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe

Filesize
817KB

MD5
c5d2095e8e1f8e9af9fd19ba2c885de4

SHA1
db7c115bec56a8a3672d32896db2375af842ddee

SHA256
2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

SHA512
74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

Download Submit
C:\Users\Admin\AppData\Roaming\sideris cyt 2\sideris cyt 2.exe

Filesize
817KB

MD5
c5d2095e8e1f8e9af9fd19ba2c885de4

SHA1
db7c115bec56a8a3672d32896db2375af842ddee

SHA256
2e4663d20f62d72f1ffd25ada448dc25fba8681ad0755fdd0451f460b2dc570c

SHA512
74ac28f939655b85dcf14d56df23942bee8c60a485aee361e5ebf64ffd53bb69e8b27106d7512d54130622325ab00dd917d04a9b729cfd9ddede5b8d2ecc5c66

Download Submit
memory/396-158-0x0000000000000000-mapping.dmp

Download
memory/1296-149-0x0000000000000000-mapping.dmp

Download
memory/1296-161-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1296-160-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1376-140-0x0000000000000000-mapping.dmp

Download
memory/1384-142-0x0000000000000000-mapping.dmp

Download
memory/1516-132-0x0000000000CD0000-0x0000000000DA2000-memory.dmp

Filesize
840KB

Download
memory/1516-134-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/1516-133-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/2556-157-0x0000000000000000-mapping.dmp

Download
memory/3132-139-0x0000000000000000-mapping.dmp

Download
memory/3244-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3244-136-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3244-146-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3244-135-0x0000000000000000-mapping.dmp

Download
memory/3244-145-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4584-159-0x0000000000000000-mapping.dmp

Download
memory/4692-154-0x0000000000000000-mapping.dmp

Download
memory/5104-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads