General

  • Target

    SWIFT TRANSFER.exe

  • Size

    1.0MB

  • Sample

    240206-f69mxaabgj

  • MD5

    397cd818297d991cdd6497572d261a25

  • SHA1

    11cc48c47f1aac9af6ed1e15f66bba98899581b9

  • SHA256

    0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50

  • SHA512

    c683a1327f887c8e82eb032df862c84e3faa58dcfa9ff37ad5d7fd6287a356e59ae32b8512862f88d03bf8d63b71a95682343c8d3d982f76c3ce398371ebcb4f

  • SSDEEP

    24576:pO9cxPuT2Vj/wgFXRtl+btB7QVdWfXDE1MIz53u:pOV6Nz9YbATWvDlIN3u

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      SWIFT TRANSFER.exe

    • Size

      1.0MB

    • MD5

      397cd818297d991cdd6497572d261a25

    • SHA1

      11cc48c47f1aac9af6ed1e15f66bba98899581b9

    • SHA256

      0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50

    • SHA512

      c683a1327f887c8e82eb032df862c84e3faa58dcfa9ff37ad5d7fd6287a356e59ae32b8512862f88d03bf8d63b71a95682343c8d3d982f76c3ce398371ebcb4f

    • SSDEEP

      24576:pO9cxPuT2Vj/wgFXRtl+btB7QVdWfXDE1MIz53u:pOV6Nz9YbATWvDlIN3u

    • DarkCloud

      An information stealer written in Visual Basic.

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks