darkcloud | 7aa2c7dddf4293f44c8d736721480bea6d539228da56a4151c52ba9bffc87f6e

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-08-2023 14:30

Target

DHL AWB 38722187090.exe
Size

914KB
MD5

3232348d8f9aa98c80011580ae8d7c43
SHA1

f7887c6ea74e9d435ea8a7764fca67cf388e7477
SHA256

f2ae9306a48f1b446ce9467300267b864e8efe3f9e3b3d01da8bb89133140613
SHA512

2728202d1d29ab4d13e3c5a77eaa5e95a1d5f39969bb260e05331b0828e4da3f242615c663ccf0a44f013f7edadc1581158506feb643c06e08b6f5b2891c956c
SSDEEP

12288:H51qEww2d1mbTi5f6iB1YaZGMLxyAdLdE57Ry8iHs+t8PgaDZsoEJh3Y1EmXxDPJ:jqEw0CCiBDd6zBO8omiDotP1oMd

Score

10^/10

darkcloud stealer

Family

darkcloud

Attributes

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2892	2152	DHL AWB 38722187090.exe	30

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	DHL AWB 38722187090.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30
PID 2152 wrote to memory of 2892	2152	DHL AWB 38722187090.exe	30

C:\Users\Admin\AppData\Local\Temp\DHL AWB 38722187090.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB 38722187090.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\DHL AWB 38722187090.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL AWB 38722187090.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2892

memory/2152-69-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-55-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2152-54-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-53-0x00000000009C0000-0x0000000000AAA000-memory.dmp

Filesize
936KB

Download
memory/2152-57-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-58-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2152-59-0x0000000001FA0000-0x0000000001FAE000-memory.dmp

Filesize
56KB

Download
memory/2152-60-0x00000000055F0000-0x0000000005692000-memory.dmp

Filesize
648KB

Download
memory/2152-56-0x0000000001F80000-0x0000000001F9C000-memory.dmp

Filesize
112KB

Download
memory/2892-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download