darkcloud | a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

REMITTANCE ADVICE - TT231407ZA9893989.exe
Size

434KB
MD5

bc43848fb7dadbbcf35d6c71245e349d
SHA1

1a7b482f8a43456515188bfa5da676285bd40f83
SHA256

a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
SHA512

ead603badaaa7b93801eabaaba846d86c9f280fee77673787d09eac54734567a5d62219d26d9228648aa28725674bd2faabd30e200b01c617002aa41ae219d25
SSDEEP

6144:/Ya6kCDm2IdQW1OFA0nn36ISxdv2L8uwgKrvBkdsbSjQ5q8HUM+ciX:/Y6CKVd9Ui6n36TgKrvBcCSj0HgciX

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Loads dropped DLL 1 IoCs

pid	Process
1260	REMITTANCE ADVICE - TT231407ZA9893989.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2868	1260	REMITTANCE ADVICE - TT231407ZA9893989.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1260	REMITTANCE ADVICE - TT231407ZA9893989.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	REMITTANCE ADVICE - TT231407ZA9893989.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2868	1260	REMITTANCE ADVICE - TT231407ZA9893989.exe	85
PID 1260 wrote to memory of 2868	1260	REMITTANCE ADVICE - TT231407ZA9893989.exe	85
PID 1260 wrote to memory of 2868	1260	REMITTANCE ADVICE - TT231407ZA9893989.exe	85
PID 1260 wrote to memory of 2868	1260	REMITTANCE ADVICE - TT231407ZA9893989.exe	85

C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE - TT231407ZA9893989.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE - TT231407ZA9893989.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE - TT231407ZA9893989.exe
  "C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE - TT231407ZA9893989.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\djovyzpe.dll

Filesize
62KB

MD5
c8b48761b883027a7f6d3abc4d317fb4

SHA1
4b9c7db7b20651c4e2ab8f93f2a0e29bc0f009c7

SHA256
86a5eaa86f5a9534bce7f4b934013e45a0eababfda8cc06b462d79b169ed3539

SHA512
01abe0f6da16915584b4c3cd687cd6196370b4dfa8dd3689ea5c2c81707e68962214462a17358b64c1eeb66cc54141b450a05656feefdef6e3dda8a82728d5f0

Download Submit
memory/1260-142-0x0000000074AE0000-0x0000000074AF3000-memory.dmp

Filesize
76KB

Download
memory/1260-138-0x0000000074AE0000-0x0000000074AF3000-memory.dmp

Filesize
76KB

Download
memory/2868-150-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-145-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-146-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-147-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-148-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-149-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-151-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-141-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-153-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-154-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-155-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-156-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-157-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-158-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2868-159-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download