Overview

overview

10

Static

static

1

Bank Slip.vbs

windows7-x64

1

Bank Slip.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bank Slip.vbs

  • Size

    957B

  • Sample

    240416-szrjzafc5x

  • MD5

    4d66177f839c56f22efb3f7dfed7e583

  • SHA1

    d4d4a2d1680f25dd0642ec09e860932096108ff3

  • SHA256

    bb3779fd9e2577b65ec5c4e304e017c340365e57e3cad7035c146f69e1f3ec7c

  • SHA512

    ff87398772020a2cf6418d5b34f1b70759822982c69acbdcb236c46bc3d5acfdf57b713af8175cc9b9d7f91a591e59715de7d216fda51e33362f5d46bf4d573e

Score
10/10
darkcloudstealer

Malware Config

Extracted

Family

darkcloud

Attributes
  • email_from

    igor.bos@vinoterra.ru

  • email_to

    office.tony39@mail.ru

Targets

    • Target

      Bank Slip.vbs

    • Size

      957B

    • MD5

      4d66177f839c56f22efb3f7dfed7e583

    • SHA1

      d4d4a2d1680f25dd0642ec09e860932096108ff3

    • SHA256

      bb3779fd9e2577b65ec5c4e304e017c340365e57e3cad7035c146f69e1f3ec7c

    • SHA512

      ff87398772020a2cf6418d5b34f1b70759822982c69acbdcb236c46bc3d5acfdf57b713af8175cc9b9d7f91a591e59715de7d216fda51e33362f5d46bf4d573e

    Score
    10/10
    darkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks