darkcloud | 123cb065e30c433b8d1f1caacba94c6c1be62f019d5a2ebadf8162a9e83cefe3 | Triage

Sharing

General

Target

123CB065E30C433B8D1F1CAACBA94C6C1BE62F019D5A2EBADF8162A9E83CEFE3
Size

561KB
Sample

230208-v2fatsde49
MD5

c3e50288d7cdc1c4b99ea59c2e13b938
SHA1

ffff559fb4929dab0e56c72ddf0e29b70a95189f
SHA256

123cb065e30c433b8d1f1caacba94c6c1be62f019d5a2ebadf8162a9e83cefe3
SHA512

a3bef68671705ca3e228867b222e12fd035ebf0b3981bafe6d13eabffa490e9eacb202057e5688c6fc4203b93287611752cca76083569344c35003d8708337b4
SSDEEP

12288:Ns7LhwP6x+Wy8KEjFWPaM/0cyT+dGxjlLJpQmo4O6B3Bm/pXXERn:0LhojIWP10XasPW4O6BxkXwn

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  Sales Pending Order 23.01.23.exe
- Size
  
  677KB
- MD5
  
  627111e07b1ec6082b66f3d7772c8ba4
- SHA1
  
  a5f0e223754b60c6ff804899566e4dc30afd5c9c
- SHA256
  
  4848786ab1a4eb53f5bd0826c59c9620ea60e544b11e0d9183965fc0afe380de
- SHA512
  
  f9f3c70a6025ac3a379bdfadedc4d723517804703cbb5059be6f1906553afd7d6e3a30543eedef85015ea179689306bb4a4e8f91c2ea2c3228762703a3ac6bb9
- SSDEEP
  
  12288:MYFAdHC42vi+sNvSPJvWSE7y7GoSBj8A96i9ia5dSozDT6a+4:MYqdHC42qfvSPRWSWy79A93Ia/SwuK
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer