darkcloud | 53f4f2fdacb71053c9f371a052d8deb9cd0dc357313f88e20a96c2c10588042b | Triage

Sharing

General

Target

receipt of full payment.xz
Size

803KB
Sample

240125-vqtn3sbdb9
MD5

b14b168d420d5450d9527d875c874100
SHA1

0e15cbb043f8cdf4724be2264260d7f2f42cceba
SHA256

53f4f2fdacb71053c9f371a052d8deb9cd0dc357313f88e20a96c2c10588042b
SHA512

d21d7fa50172c9e85f59df512b9ad9a4f03dd3e3625c8eca973ad0225fb1ecf48a12762a79be88a08ea86abfd6b1383caab5ecb03fc5f0b8cb58aa62b57d3056
SSDEEP

24576:pFBvuyYTaqSTGxdsHMFRbEbS4GzlxST/DH6Yq:lvuywpSTG0HMQSvzlxe6

Score

10^/10

darkcloud kinsing loader stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  receipt of full payment.exe
- Size
  
  918KB
- MD5
  
  dc8adcc624f9599d45e5e3b63411e4c7
- SHA1
  
  65f0b0f038f3969d5080ec79ce559093b217c467
- SHA256
  
  2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
- SHA512
  
  51443b901a0abd5a74d69e22ec66367604a3b4005256efe3c96c843e5873ec158cec4dcc647508ca682975434514cf88977f170b6586bc31ae69b360919ce41e
- SSDEEP
  
  12288:mlUgySozdUd283S5qgkFCxjI4s+gGL+i7vJ0TG/r7jam+VM/NwNVJdPFZdVBo6U1:8mFudCDkFCx84OG9Brj7emT/NCVJdz
Score

10^/10

darkcloud stealer kinsing loader
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Kinsing
  Kinsing is a loader written in Golang.
  loader kinsing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudstealer

behavioral2

darkcloudkinsingloaderstealer