darkcloud | 0bd93a3f99ba7af290a968f54e6aa9dd7f7d38dd59a033ae78afbee46a641e83 | Triage

Sharing

General

Target

0bd93a3f99ba7af290a968f54e6aa9dd7f7d38dd59a033ae78afbee46a641e83
Size

409KB
Sample

230718-khngzshb88
MD5

ba1ab875cfba0aafc6d8825874f31a7f
SHA1

8428f1510ed8f7fcdcff3eb9d7a7617b726abb46
SHA256

0bd93a3f99ba7af290a968f54e6aa9dd7f7d38dd59a033ae78afbee46a641e83
SHA512

98dd4a58efc0c3cc5a92fedce469b85ab17edcf298a06751361ba9744f21061214a1ffc12b71e3fb87dee941b7a3d05113c8f1529c2896a39ba15550fef2129d
SSDEEP

12288:VyhIMzYKfZ0rooQxOmV0ovcujraqtawSTv8mY84:krfWr9zmV0ovcAW2DSomYJ

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  SOA.exe
- Size
  
  426KB
- MD5
  
  2d2d2d51c9dec0a7811ff8ffc4827689
- SHA1
  
  ebf524dbe0a9adec78fca81308574a26c7c466c6
- SHA256
  
  8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
- SHA512
  
  16b4ed1c5de39c8b12b54d759a4ba38cb75f5b72ae7c0508f8895ada7dc0207e2d2e27fb9bea1ed286ea8ca66e4fd49036a74db4c533187a99a67ec2e2717b9b
- SSDEEP
  
  12288:pYbyIfr4roCQxOCz0oPcujV0qtaGSTv8mY/L:pYbRf8r5zCz0oPcAO27SomYz
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer