Overview

overview

10

Static

static

3

OrdemdeCompra.exe

windows7-x64

1

OrdemdeCompra.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 20:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    OrdemdeCompra.exe

  • Size

    1.0MB

  • MD5

    c041ea1db65b15853616addc268a5342

  • SHA1

    ff86b0e7c04739835f043da76dca91f8e49351a9

  • SHA256

    55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f

  • SHA512

    85201389170c4fe57d55a3e8b4e9cacecd13bf954ebd3659dfcbe957c75bf227173aa3d2d6f45e852973ba69ff7c582f7000bf66a8f20f5b8fa0dcec1cd95d39

  • SSDEEP

    24576:yjCFyy3LuJCKhieUHU03chggmYBKtBp6F:yyyy33GinHC/dBKt

Score
10/10
darkcloudstealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5747177798:AAGv5MNvuUjtsZ9QlXMkdP6QssoMkGFSw6s/sendMessage?chat_id=805410216

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OrdemdeCompra.exe
    "C:\Users\Admin\AppData\Local\Temp\OrdemdeCompra.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Users\Admin\AppData\Local\Temp\OrdemdeCompra.exe
      "C:\Users\Admin\AppData\Local\Temp\OrdemdeCompra.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1384

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/972-133-0x0000000000070000-0x000000000017A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/972-134-0x0000000005130000-0x00000000056D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/972-135-0x0000000004B80000-0x0000000004C12000-memory.dmp

          Filesize

          584KB

          Download

        • memory/972-136-0x0000000004B10000-0x0000000004B1A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/972-137-0x0000000004D90000-0x0000000004DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/972-138-0x0000000004D90000-0x0000000004DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/972-139-0x0000000006A50000-0x0000000006AEC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1384-140-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1384-143-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1384-146-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1384-147-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download