darkcloud | 322eb06a1c789fa91c8e5e9aaaae961552669ae055606e7b8be8cc31dcf0dce7 | Triage

Sharing

General

Target

STATEMENT OF DUE.exe
Size

479KB
Sample

230214-se1xxaec57
MD5

f887d56a8c442677fa724d3faf86aafe
SHA1

f87552c2cb912299fce50b1f5e3a09dacfdb1f79
SHA256

322eb06a1c789fa91c8e5e9aaaae961552669ae055606e7b8be8cc31dcf0dce7
SHA512

c18e0183f7d3725dfccc9c45818e4e36dd657d3bae9144298d7c05eec22d819410c264864ced9f608afb12f4ff20f5b053e36cf6a320d2f779e2679826e163c0
SSDEEP

12288:RYWJFILPzIfF78f/EHBE6Zop+vq5BTRDchmjVdc:RYW43I978EHB9IBTRc

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  STATEMENT OF DUE.exe
- Size
  
  479KB
- MD5
  
  f887d56a8c442677fa724d3faf86aafe
- SHA1
  
  f87552c2cb912299fce50b1f5e3a09dacfdb1f79
- SHA256
  
  322eb06a1c789fa91c8e5e9aaaae961552669ae055606e7b8be8cc31dcf0dce7
- SHA512
  
  c18e0183f7d3725dfccc9c45818e4e36dd657d3bae9144298d7c05eec22d819410c264864ced9f608afb12f4ff20f5b053e36cf6a320d2f779e2679826e163c0
- SSDEEP
  
  12288:RYWJFILPzIfF78f/EHBE6Zop+vq5BTRDchmjVdc:RYW43I978EHB9IBTRc
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer