Overview

overview

10

Static

static

1

SOA_XSL.wsf

windows7-x64

8

SOA_XSL.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0a8cd02d2ce087bd385a07dc8c27e8af85bfb4a0.zip

  • Size

    777B

  • Sample

    240503-nn95qafe44

  • MD5

    70c1a01506503d66b2a2729f4e23719c

  • SHA1

    5858a84143019ddc9cb3bd8e46e53ef7675305a2

  • SHA256

    866019641f3374234b67045e063ec6514e811f1636e49b9bc3d54441bb4a6741

  • SHA512

    4689c2472cf9537c7ccba4943714df9e5733688f40662804984d57fc59c57c9cee6c72b6585fb28d48f5c747e8dc17a1bea9054d2726c08c16a1be19d305bccb

Score
10/10
darkcloudstealer

Malware Config

Extracted

Family

darkcloud

Attributes
  • email_from

    igor.bos@vinoterra.ru

  • email_to

    office.tony39@mail.ru

Targets

    • Target

      SOA_XSL.wsf

    • Size

      795B

    • MD5

      644ca3a3f10afbeab56d93ce4ad7f0ba

    • SHA1

      ef5dcb8a6e1a1152d116411f784a609c8f870a0a

    • SHA256

      377180ae7109057e5f8403307834211a4c75a584be3090552cb059e52bf4a192

    • SHA512

      da09d35e3dabf0f4c4d541b0322ca1e2600522d7d41abc6adf04d568a58af8a98e89bbcd83a67869e1becaf6fda412aaf0762f1465e47faceaf06293d1db27ea

    Score
    10/10
    darkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks