Extracted

• • Target

    e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe

  • Size

    1.3MB

  • MD5

    accbbf5ca2c67a5d6f0b4bab71b5a81d

  • SHA1

    61816822b97a25ad36575520560c4eaca7876d7c

  • SHA256

    e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395

  • SHA512

    4fce6d4a824ff290c3b36d54e477c1d17050d28cc2d43defa4aa90f7715bc9b2b5a41b8b41518d573206788ccd36b7026f5d65064e7465809680b6be97aa8c2f

  • SSDEEP

    24576:DTbBv5rUDwcyw5LAXjXXRQFX8KZHbK5sUdSpUUBQjqfYTfz7V2EggiVE1+:dB1cL5UtQSWobCUUZ8V2Egy+

  Score

  10^/10

  darkcloudpersistencestealer

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2