General

  • Target

    payment23680.00.exe.bin

  • Size

    1.1MB

  • Sample

    230505-zp2qhsec42

  • MD5

    c967dc56f4b18b51dbf16aa276da9561

  • SHA1

    d6481b2bff7fdae85eeea5d93585f909d84cc9c0

  • SHA256

    1fc2517f39da363bb029b78eabb712d7ffe75f2dc5f114ff6968283ee881f4d8

  • SHA512

    69aef710a7e8d2dd519e19b55877e2f843db6170b7f792a8a0a6fb6b4f12c081fbd217469a7bac0d67084907769a95a912eab64e7ca17129aeae5122278f725a

  • SSDEEP

    24576:jTbBv5rUDWxz5LAXjXXRQFX8KZB8SpUUBQjqfYTfz7V2EggiVEn:9Bt5UtQSAnUUZ8V2EgS

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      payment23680.00.exe.bin

    • Size

      1.1MB

    • MD5

      c967dc56f4b18b51dbf16aa276da9561

    • SHA1

      d6481b2bff7fdae85eeea5d93585f909d84cc9c0

    • SHA256

      1fc2517f39da363bb029b78eabb712d7ffe75f2dc5f114ff6968283ee881f4d8

    • SHA512

      69aef710a7e8d2dd519e19b55877e2f843db6170b7f792a8a0a6fb6b4f12c081fbd217469a7bac0d67084907769a95a912eab64e7ca17129aeae5122278f725a

    • SSDEEP

      24576:jTbBv5rUDWxz5LAXjXXRQFX8KZB8SpUUBQjqfYTfz7V2EggiVEn:9Bt5UtQSAnUUZ8V2EgS

    • DarkCloud

      An information stealer written in Visual Basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks