darkcloud | 9e4411dbb164a26bb03294a5911441ff0aa25a97fc1f961f0b6d1795cdff4971

General

Target

Payment Slip.exe
Size

336KB
MD5

66cc22ed167cdaef60b10efd54949ff6
SHA1

bbe7a39f01333346c8e3bcfbf73e4c484a3bc2cd
SHA256

78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943
SHA512

57c4c110a59c104af9ddee66d75a62330d985d83d604f3131920449265a9e2f2b5aa36f34da1b8fb86fe3875c254e27bfb87f51f32bc699ec465db4d1786640e
SSDEEP

6144:/Ya6D86Y0vp4i0viRcFiU+0/WHT22FtdJ9KGTV:/YpThvOi0OcFiUdeHa27dXV

Score

10^/10

darkcloud persistence stealer upx

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Loads dropped DLL 1 IoCs

pid	Process
3516	Payment Slip.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-141-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-143-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-145-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-148-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-149-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-150-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-151-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-152-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-153-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-154-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-155-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-156-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-157-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-158-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-159-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-160-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-161-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-162-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3120-163-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqavfok = "C:\\Users\\Admin\\AppData\\Roaming\\xhqmvrbkgpyuea\\jrnwgcl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Slip.exe\""	Payment Slip.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3516 set thread context of 3120	3516	Payment Slip.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	Payment Slip.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3516	Payment Slip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3120	Payment Slip.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3120	3516	Payment Slip.exe	86
PID 3516 wrote to memory of 3120	3516	Payment Slip.exe	86
PID 3516 wrote to memory of 3120	3516	Payment Slip.exe	86
PID 3516 wrote to memory of 3120	3516	Payment Slip.exe	86

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshB279.tmp\xixaugr.dll

Filesize
53KB

MD5
18fe03603fef1da9072e5a778fa2da79

SHA1
d7bbb199679adf7d837a6fc019bd36a37c77a57b

SHA256
9e7731d5cbdd2e9f9c3add54e43eda6a82d782288bf5e9f5a9388affb772e3e3

SHA512
7dc9b851dce0727b44a091f2aa4274578fb1b65b77096a92a894c6876b8e2fd19327cdf333793507b519dc5208b32c8fbbc3eea2555484cb6a1005afe1271281

Download Submit
memory/3120-153-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-161-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-143-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-145-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-148-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-149-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-150-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-154-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-163-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-141-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-151-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-155-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-156-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-157-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-158-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-159-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-160-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-152-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3120-162-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3516-139-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads