General
-
Target
MT103 COPY.wsf
-
Size
805B
-
Sample
240423-k84lwsfa92
-
MD5
ed3a6fc0fe154268224d76230298884c
-
SHA1
4f41ce6d19a3f835f575e86cbef2d1483a67b3d7
-
SHA256
e319e6ddd91cc3c2dcfc917a01c0d011c6fa8501dbbc2cdabac71090f51d0c19
-
SHA512
34e293cc4d9eb87ddb9a91d6c08cdfa55adccbc1024e7d686dd7784c251f3c6f258e42924533b3f31fb8ef20751eaed8c7c5a5bd25957e34fad93f8477601ffc
Malware Config
Extracted
darkcloud
-
email_from
igor.bos@vinoterra.ru
-
email_to
office.tony39@mail.ru
Targets
-
-
Target
MT103 COPY.wsf
-
Size
805B
-
MD5
ed3a6fc0fe154268224d76230298884c
-
SHA1
4f41ce6d19a3f835f575e86cbef2d1483a67b3d7
-
SHA256
e319e6ddd91cc3c2dcfc917a01c0d011c6fa8501dbbc2cdabac71090f51d0c19
-
SHA512
34e293cc4d9eb87ddb9a91d6c08cdfa55adccbc1024e7d686dd7784c251f3c6f258e42924533b3f31fb8ef20751eaed8c7c5a5bd25957e34fad93f8477601ffc
Score10/10-
DarkCloud
An information stealer written in Visual Basic.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-