General

  • Target

    FOBPending.exe.bin

  • Size

    1.2MB

  • Sample

    230505-zg1s9agc5v

  • MD5

    5a7b4afc8d9c3dd58a10c88bee78a4e1

  • SHA1

    604d258a36a9dfdc200b7b050939b9805d4b3a63

  • SHA256

    7de19682e83250de593d83fb5c926f2bc3cffcafe408e100d36aca97d5c4f715

  • SHA512

    2e849cae4ca6673b193a35a587a21a93aee93eb78bdd6c177bd57fff8fbdf88d5a7de822b8e2f4e9635285ad9823fb174b46326d286c5a0628ca9424ddf175c0

  • SSDEEP

    24576:TTbBv5rUDAbVkNd5+3bZJaH9VBIpUUBQjqfYTj1Wz7V2EggiVEUsG:NBDeT+bZwH9VBgUUZRV2EgTsG

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5261540771:AAHpybxDtEnwQtX4w7iGcSpo7-vbVF4FJuk/sendMessage?chat_id=5130831629

Targets

    • Target

      FOBPending.exe.bin

    • Size

      1.2MB

    • MD5

      5a7b4afc8d9c3dd58a10c88bee78a4e1

    • SHA1

      604d258a36a9dfdc200b7b050939b9805d4b3a63

    • SHA256

      7de19682e83250de593d83fb5c926f2bc3cffcafe408e100d36aca97d5c4f715

    • SHA512

      2e849cae4ca6673b193a35a587a21a93aee93eb78bdd6c177bd57fff8fbdf88d5a7de822b8e2f4e9635285ad9823fb174b46326d286c5a0628ca9424ddf175c0

    • SSDEEP

      24576:TTbBv5rUDAbVkNd5+3bZJaH9VBIpUUBQjqfYTj1Wz7V2EggiVEUsG:NBDeT+bZwH9VBgUUZRV2EgTsG

    • DarkCloud

      An information stealer written in Visual Basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks