darkcloud | 2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB DOCUMENT.exe
Size

442KB
MD5

c05596dc6967d015d7bf0a57c027e428
SHA1

cb2d6b07aa66706f8a899e3205b29aec36843569
SHA256

2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd
SHA512

c93fef93b23bf0f9c5faabf3bc606eb48680af888142c73128daa4c4d7a88e4621f8ff38161eb15aa6d8b5bb7114b4c6ffbb1b2738042604331301a152ec8708
SSDEEP

12288:PY0AXIx8wDoZkj6BdLm4HcgHTd0BJfQSgrCo24:PY0+w8AodNeIZgJfQSgWob

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

https://api.telegram.org/bot6220925905:AAFbd3Et4YQi4C1WTvNkPbMsAOdz5c8giT0/sendMessage?chat_id=5463149861

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 2 IoCs

pid	Process
4764	vdafy.exe
4368	vdafy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 4368	4764	vdafy.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4764	vdafy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4368	vdafy.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4764	4980	DHL AWB DOCUMENT.exe	84
PID 4980 wrote to memory of 4764	4980	DHL AWB DOCUMENT.exe	84
PID 4980 wrote to memory of 4764	4980	DHL AWB DOCUMENT.exe	84
PID 4764 wrote to memory of 4368	4764	vdafy.exe	85
PID 4764 wrote to memory of 4368	4764	vdafy.exe	85
PID 4764 wrote to memory of 4368	4764	vdafy.exe	85
PID 4764 wrote to memory of 4368	4764	vdafy.exe	85

C:\Users\Admin\AppData\Local\Temp\DHL AWB DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB DOCUMENT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\vdafy.exe
  "C:\Users\Admin\AppData\Local\Temp\vdafy.exe" C:\Users\Admin\AppData\Local\Temp\kykkju.l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\vdafy.exe
    "C:\Users\Admin\AppData\Local\Temp\vdafy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holkoedfoil.w

Filesize
500KB

MD5
5b3e49994957fa30da172fa4cba1c0f8

SHA1
f574b73b4185d9b5a7354a0ab9a7ffac9dfb46b7

SHA256
557abca04f57b737d9e9202614e84c907114b24cf833c566b189bcedf9addfae

SHA512
e832de240d933a35b377ee334a43db34c353955c210a6add8fc7b40c6241c7a2bffaae7d934fcc489146bc4e703f051b3a54dace0d2c81565d821441643337e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kykkju.l

Filesize
5KB

MD5
e4679416a6f465266c47e519d70f6b36

SHA1
53d9cd5ed74ef19075b48215c159ed34dc1ddc87

SHA256
fb88043ccf6c0fa384f73b13dd980077eed5270b8551b9dd8b7469aeb33c0b8b

SHA512
14cb9b46f84687ab8ce560dcc5bd80788021ae91dc0b302cb0ea7d4ef9790103f10cac56979015fa2a4d4d1cf20a50c3d2908296cc6615fd7033f6ae6420e740

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdafy.exe

Filesize
52KB

MD5
e01ef3c540ae231d58e9b8171d03650a

SHA1
1271856e07d9aaef8a67d7b8387145050f42b612

SHA256
b4d049769104f27b3788628a792bf50e8550e8af0af2b045036b3cafa1a613c9

SHA512
86bf36010c7c8c09095a47e01d35a321a46464db4c3b37091fc63d04e96a47d6bd26b97e35eee5ed492a134a6e59bc0759512274ce0396ede6ac263f2b14a6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdafy.exe

Filesize
52KB

MD5
e01ef3c540ae231d58e9b8171d03650a

SHA1
1271856e07d9aaef8a67d7b8387145050f42b612

SHA256
b4d049769104f27b3788628a792bf50e8550e8af0af2b045036b3cafa1a613c9

SHA512
86bf36010c7c8c09095a47e01d35a321a46464db4c3b37091fc63d04e96a47d6bd26b97e35eee5ed492a134a6e59bc0759512274ce0396ede6ac263f2b14a6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdafy.exe

Filesize
52KB

MD5
e01ef3c540ae231d58e9b8171d03650a

SHA1
1271856e07d9aaef8a67d7b8387145050f42b612

SHA256
b4d049769104f27b3788628a792bf50e8550e8af0af2b045036b3cafa1a613c9

SHA512
86bf36010c7c8c09095a47e01d35a321a46464db4c3b37091fc63d04e96a47d6bd26b97e35eee5ed492a134a6e59bc0759512274ce0396ede6ac263f2b14a6ad

Download Submit
memory/4368-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4368-145-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4368-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4368-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4764-140-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download