darkcloud | adf9f5338648833c0b4bf2e10f1132340bd0cb7b8e1141c5b723bc95c82794d0 | Triage

Sharing

General

Target

documents.rar
Size

798KB
Sample

240125-vwzghsbec3
MD5

690d3df6187e284dedf5256c61384e9e
SHA1

ffb7d801060073a4c2a0224f4c890d36583413f6
SHA256

adf9f5338648833c0b4bf2e10f1132340bd0cb7b8e1141c5b723bc95c82794d0
SHA512

64b3ec1c59a509053db525642804d831ec44aee3c03171dc54ff767cf9fe865bef52926a2f46207e29dea39be125c56e131868eff5a18f28d20896bd352693d0
SSDEEP

24576:3rpfMQqWjAYwRAeUohe8tsFQeYGj64ro5F:3NEQqWsvbUtetQLsF

Score

10^/10

darkcloud kinsing loader stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  documents.exe
- Size
  
  911KB
- MD5
  
  9530a4b5c2772de4edb6005f057c0405
- SHA1
  
  f544295bc15e8c1f69e9c2939acc88decfe404c8
- SHA256
  
  6e94f38fee814023e77c4f2f3f718fd0bdf456974fb7742c03ee17dd2054050c
- SHA512
  
  62d66a9cdaa81a4e651711dfa27de2dd0269a3200da8f62dd91a479bc925198caa9b4090cdf2e509832b9d226f1d33b28f5f66f6a30c7f0ad39f8f0e3f5f56ed
- SSDEEP
  
  12288:8SGnBbC8IABQRIVa8Tt5g0IhUSIw28Ph0S0NrlhjT2E6JbkpjPJaGbrKHaYl18/d:NEC+BVTUZX2HjTz6pmddYl10
Score

10^/10

darkcloud stealer kinsing loader
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Kinsing
  Kinsing is a loader written in Golang.
  loader kinsing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcloudstealer

behavioral2

darkcloudkinsingloaderstealer