darkcloud | 1716487b103dc267d5d1d0ad0f83565c11e3a18b0fd840f7b16893a14716b299 | Triage

Sharing

General

Target

fbc4371a517670d9e0f3df4b423f1128c98538ab
Size

829KB
Sample

230201-qdkhesff4v
MD5

9db0cb8ce863c77576b7fe8a65c4c200
SHA1

fbc4371a517670d9e0f3df4b423f1128c98538ab
SHA256

1716487b103dc267d5d1d0ad0f83565c11e3a18b0fd840f7b16893a14716b299
SHA512

99e72029cc0ead9587a009d79fde561ca651db2380265d06fbb5408e01d07939a11b812e81f2360e5593f12ba4fa499ee85ce7106a58001c679f6a4a9b931fe3
SSDEEP

12288:2Y7mobjGBDlFYlWxHE1DtDjZ6mmjgn9LmszAipCEKW/DiaC:2Y7HjGRlFYM9EttDjgPgnUHWLi3

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  fbc4371a517670d9e0f3df4b423f1128c98538ab
- Size
  
  829KB
- MD5
  
  9db0cb8ce863c77576b7fe8a65c4c200
- SHA1
  
  fbc4371a517670d9e0f3df4b423f1128c98538ab
- SHA256
  
  1716487b103dc267d5d1d0ad0f83565c11e3a18b0fd840f7b16893a14716b299
- SHA512
  
  99e72029cc0ead9587a009d79fde561ca651db2380265d06fbb5408e01d07939a11b812e81f2360e5593f12ba4fa499ee85ce7106a58001c679f6a4a9b931fe3
- SSDEEP
  
  12288:2Y7mobjGBDlFYlWxHE1DtDjZ6mmjgn9LmszAipCEKW/DiaC:2Y7HjGRlFYM9EttDjgPgnUHWLi3
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer