General

  • Target

    Booking_0026_062pdf.exe

  • Size

    41KB

  • Sample

    230502-nmp36aag99

  • MD5

    ac798236993af26702d4307c4f999bff

  • SHA1

    ac0be0ef8ec71dd0d6f93b7936ab6e08b99e6477

  • SHA256

    814feb1393d69a3a46e80c35cabffc0c24ee035c94754e72179ca8627afc2e08

  • SHA512

    1688a03458732edd314d3b368ed5c1ad502c41760eac3f4f82ed5b9534e3dea01f635cdcc912771794cd36d82577bc6c197411c7e659b978540f51168307f654

  • SSDEEP

    384:s34L7mVUfN0Y6+v6X7LiIqr5LR5FxlQV1111yt6cj4ajdU:scKwFv27+15xxlQV1111O6cddU

Malware Config

Targets

    • Target

      Booking_0026_062pdf.exe

    • Size

      41KB

    • MD5

      ac798236993af26702d4307c4f999bff

    • SHA1

      ac0be0ef8ec71dd0d6f93b7936ab6e08b99e6477

    • SHA256

      814feb1393d69a3a46e80c35cabffc0c24ee035c94754e72179ca8627afc2e08

    • SHA512

      1688a03458732edd314d3b368ed5c1ad502c41760eac3f4f82ed5b9534e3dea01f635cdcc912771794cd36d82577bc6c197411c7e659b978540f51168307f654

    • SSDEEP

      384:s34L7mVUfN0Y6+v6X7LiIqr5LR5FxlQV1111yt6cj4ajdU:scKwFv27+15xxlQV1111O6cddU

    • DarkCloud

      An information stealer written in Visual Basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks