darkcloud | 9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

LIST OF ORDER.pdf.exe
Size

441KB
Sample

230523-stt3xagg5s
MD5

3d02df482ba2297ede23e6afd7135143
SHA1

54110a48d79b169f4c6b6e84ccecb885c3121e47
SHA256

9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
SHA512

cbca05b552fd7a469aa4fbc5e75ee46ce13fbb8eba03be0cd2e3a5b6f06ed108c111645a60674b8cf839cde2a430646b6eb584a6a747b53de338ac9e2e6523f8
SSDEEP

12288:vYuzkMoGZX9XrsgPMMtASzKwCrWllYLRMlSR23h:vYuzkMousUtP2rWgCAgh

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  LIST OF ORDER.pdf.exe
- Size
  
  441KB
- MD5
  
  3d02df482ba2297ede23e6afd7135143
- SHA1
  
  54110a48d79b169f4c6b6e84ccecb885c3121e47
- SHA256
  
  9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
- SHA512
  
  cbca05b552fd7a469aa4fbc5e75ee46ce13fbb8eba03be0cd2e3a5b6f06ed108c111645a60674b8cf839cde2a430646b6eb584a6a747b53de338ac9e2e6523f8
- SSDEEP
  
  12288:vYuzkMoGZX9XrsgPMMtASzKwCrWllYLRMlSR23h:vYuzkMousUtP2rWgCAgh
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer