darkcloud | d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3 | Triage

Sharing

General

Target

SecuriteInfo.com.Zum.Androm.1.24234.31952.exe
Size

452KB
Sample

230719-asbwtsfe3z
MD5

29e2c66bc44a433d6da95086cae40800
SHA1

e41e56533dad36409b8f9d30e2bae8c22bba11c4
SHA256

d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
SHA512

ec5a3913fd95f20d04b72d2eac55f71d0d54d63a21ccaece8768790833c48bdb78fd0120271c3fb59e0b335e50863dabb37d33cfd416b24a64def69238816685
SSDEEP

12288:PYSahmsDnOhqRKHrJUovhWmtQNdVPfUgB1X3oNtHZyLHr:PYSahFDnOkRKLJUK6d9UgGALL

Score

10^/10

darkcloud persistence stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  SecuriteInfo.com.Zum.Androm.1.24234.31952.exe
- Size
  
  452KB
- MD5
  
  29e2c66bc44a433d6da95086cae40800
- SHA1
  
  e41e56533dad36409b8f9d30e2bae8c22bba11c4
- SHA256
  
  d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
- SHA512
  
  ec5a3913fd95f20d04b72d2eac55f71d0d54d63a21ccaece8768790833c48bdb78fd0120271c3fb59e0b335e50863dabb37d33cfd416b24a64def69238816685
- SSDEEP
  
  12288:PYSahmsDnOhqRKHrJUovhWmtQNdVPfUgB1X3oNtHZyLHr:PYSahFDnOkRKLJUK6d9UgGALL
Score

10^/10

darkcloud persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudpersistencestealer

behavioral2

darkcloudpersistencestealer