darkcloud | b3f29a2e0aebdad74750ab849e49b7d521e12e361d4bc96aff307dece3f16036

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

invoice.docx.exe
Size

2.0MB
MD5

486cca7db81662acf63137de5e1ea20e
SHA1

2bf5cea8667a493cd94bd485c3f12e58d6912b8e
SHA256

b3f29a2e0aebdad74750ab849e49b7d521e12e361d4bc96aff307dece3f16036
SHA512

f11694c06260401db95856959d44810350fc061da6d28ebbfa0f276e0cf4f61b8314ae65d34a23126a1926b0b137d215cdeb7b9a433de50e770bb1a9f68f5111
SSDEEP

49152:PgWxkesOs5XWNMiP3U2b/HdVbN6ziS2PJ3dXZeuR:Imkets5XWDconN6zfQ5

Score

10^/10

darkcloud stealer upx

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-0-0x00007FF7F6910000-0x00007FF7F6F51000-memory.dmp	upx
behavioral2/memory/1744-3-0x00007FF7F6910000-0x00007FF7F6F51000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1856	1744	invoice.docx.exe	83

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1856	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1856	jsc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83
PID 1744 wrote to memory of 1856	1744	invoice.docx.exe	83

C:\Users\Admin\AppData\Local\Temp\invoice.docx.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.docx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-0-0x00007FF7F6910000-0x00007FF7F6F51000-memory.dmp

Filesize
6.3MB

Download
memory/1744-1-0x0000019B675E0000-0x0000019B675F0000-memory.dmp

Filesize
64KB

Download
memory/1744-3-0x00007FF7F6910000-0x00007FF7F6F51000-memory.dmp

Filesize
6.3MB

Download
memory/1856-2-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1856-5-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1856-8-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download