Malware Analysis Report

2025-04-13 21:07

Sample ID 230724-v8bafsga63
Target Εντολή Αγοράς 4010061141.iso
SHA256 f9a0935eac4db119d91f378de9a7950535ef9e769a2e927fe542a039ef1032f6
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9a0935eac4db119d91f378de9a7950535ef9e769a2e927fe542a039ef1032f6

Threat Level: Known bad

The file Εντολή Αγοράς 4010061141.iso was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-24 17:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-24 17:39

Reported

2023-07-24 17:41

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

Signatures

DarkCloud

stealer darkcloud

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5096 set thread context of 1812 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\__T_____.exe

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

C:\Users\Admin\AppData\Local\Temp\__T_____.exe

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.162.241.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/5096-134-0x0000000074850000-0x0000000075000000-memory.dmp

memory/5096-133-0x0000000000FC0000-0x00000000010BA000-memory.dmp

memory/5096-135-0x0000000006160000-0x0000000006704000-memory.dmp

memory/5096-136-0x0000000005AB0000-0x0000000005B42000-memory.dmp

memory/5096-137-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/5096-138-0x0000000005B60000-0x0000000005B6A000-memory.dmp

memory/5096-139-0x0000000005E00000-0x0000000005E9C000-memory.dmp

memory/5096-140-0x0000000074850000-0x0000000075000000-memory.dmp

memory/5096-141-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/1812-142-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1812-145-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5096-147-0x0000000074850000-0x0000000075000000-memory.dmp

memory/1812-149-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-24 17:39

Reported

2023-07-24 17:41

Platform

win7-20230712-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

Signatures

DarkCloud

stealer darkcloud

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\__T_____.exe C:\Users\Admin\AppData\Local\Temp\__T_____.exe

Processes

C:\Users\Admin\AppData\Local\Temp\__T_____.exe

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

C:\Users\Admin\AppData\Local\Temp\__T_____.exe

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

C:\Users\Admin\AppData\Local\Temp\__T_____.exe

"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"

Network

N/A

Files

memory/2776-54-0x00000000013E0000-0x00000000014DA000-memory.dmp

memory/2776-55-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2776-56-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/2776-57-0x00000000004B0000-0x00000000004C4000-memory.dmp

memory/2776-58-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2776-59-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/2776-60-0x0000000000660000-0x000000000066A000-memory.dmp

memory/2776-61-0x0000000008060000-0x0000000008104000-memory.dmp

memory/2944-62-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2944-63-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2944-64-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2944-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2944-68-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2944-70-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2776-72-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2944-74-0x0000000000400000-0x0000000000462000-memory.dmp