darkcloud | e073f03ad4da07937d0b2d4879e556104257ca2b293ed31de3d86b25e498a6cb | Triage

Sharing

General

Target

e073f03ad4da07937d0b2d4879e556104257ca2b293ed31de3d86b25e498a6cb
Size

827KB
Sample

240417-rwjvaacb37
MD5

4506ed7369b02ba16ece09a2afc17619
SHA1

4d4832c0ab9fb92b9a51867daf5a4d8c3fa61ef4
SHA256

e073f03ad4da07937d0b2d4879e556104257ca2b293ed31de3d86b25e498a6cb
SHA512

73022f32fcc7a08bf9e59036908ce9c903d4391f0c9b823d344df5eaa52f591eceb54882bd4345143a346f6629f6b80e3bb889c0c30f002c5dbef02642ab1e21
SSDEEP

12288:nyxGi98NnthhMb2adWgk+ffrGAUUcVIqTh7X8uYAgLTJqz6CCV6+ljlgzLLSdcos:82WTIz8jvUJxMuY9EzOV6+HKfSdLKCG

Score

10^/10

darkcloud stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
info@gtvbedding.com
email_to
info@gtvbedding.com

Targets

- Target
  
  0dd421edda69a829b7b9d025fd81f947085c0b3a54d9025312823a56c2b5df83.exe
- Size
  
  877KB
- MD5
  
  173aa6b5c260b3e19f1b979f054b02b0
- SHA1
  
  9ea4da05677968a322acf4330699e76b31676130
- SHA256
  
  0dd421edda69a829b7b9d025fd81f947085c0b3a54d9025312823a56c2b5df83
- SHA512
  
  29415d7778eb7d1275815f1bcee0c3f0613f300df29172ab03d63c119491af6ced57c25c39ed27e010c0e7ce7be87de216bf2757480db9fd392b95c1f8282d51
- SSDEEP
  
  24576:L/UAc8bshd1ixMpqvhnjqJR33ulonktC+FMIpSmUrSGG:L/U8bI1+MMv5YwloWCZU0m7
Score

10^/10

darkcloud stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcloudstealer

behavioral2

darkcloudstealer