Malware Analysis Report

2025-04-13 21:07

Sample ID 230724-gs66asag2v
Target DHL invoice.exe
SHA256 0802c13f11828457c8cd914c34d00517fc2ddccfb9060f34d90d01c01db4e47e
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0802c13f11828457c8cd914c34d00517fc2ddccfb9060f34d90d01c01db4e47e

Threat Level: Known bad

The file DHL invoice.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-24 06:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-24 06:05

Reported

2023-07-24 06:07

Platform

win7-20230712-en

Max time kernel

147s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

Signatures

DarkCloud

stealer darkcloud

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1972 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

Network

N/A

Files

memory/1972-54-0x0000000000B20000-0x0000000000C22000-memory.dmp

memory/1972-55-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/1972-56-0x0000000004A70000-0x0000000004AB0000-memory.dmp

memory/1972-57-0x0000000000420000-0x0000000000434000-memory.dmp

memory/1972-58-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/1972-59-0x0000000004A70000-0x0000000004AB0000-memory.dmp

memory/1972-60-0x0000000000660000-0x000000000066A000-memory.dmp

memory/1972-61-0x00000000054E0000-0x0000000005590000-memory.dmp

memory/2508-62-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2508-64-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2508-66-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2508-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-72-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1972-75-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2508-74-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2508-78-0x0000000000400000-0x000000000046D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-24 06:05

Reported

2023-07-24 06:07

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

Signatures

DarkCloud

stealer darkcloud

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4380 set thread context of 1156 N/A C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe

"C:\Users\Admin\AppData\Local\Temp\DHL invoice.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4380-133-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/4380-134-0x0000000000200000-0x0000000000302000-memory.dmp

memory/4380-135-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/4380-136-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/4380-137-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/4380-138-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

memory/4380-139-0x0000000004F70000-0x000000000500C000-memory.dmp

memory/4380-140-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/4380-141-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/1156-142-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1156-145-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4380-146-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/1156-149-0x0000000000400000-0x000000000046D000-memory.dmp