Overview

overview

10

Static

static

1

Purchase O...df.exe

windows7-x64

10

Purchase O...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order for PCO1881 - PO-24241000210.Pdf.exe

  • Size

    1.0MB

  • Sample

    240603-ha7jsaeg71

  • MD5

    019a117bed90ea36688d335fc0753880

  • SHA1

    ed1f8a4fe5a416fdda2ef0401e11fdfb56052754

  • SHA256

    b4f29f8cbbfa2d624fd3780c185da4e1a13854d5f05931a0a04098c802210dcb

  • SHA512

    1ffb90c0fe9e331bd24010330ab01b942d61750fe7648d2a9730550e82dbf1c51e71a311cc5055f72e997295ede2e6495175b4ee88ae53c98646c7ee3fb11363

  • SSDEEP

    24576:YMYeaPzN5i7lElsA0EZzyGNZV+3bZyn/l/TA4GoUwR:YMYeIN5i2GA0Cu+gUFTA4iwR

Score
10/10
darkcloudexecutionstealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot6062190835:AAFarBYBv-mQ3aLxNEnTAnblGK2thSsO8vQ/sendMessage?chat_id=1891775258

Targets

    • Target

      Purchase Order for PCO1881 - PO-24241000210.Pdf.exe

    • Size

      1.0MB

    • MD5

      019a117bed90ea36688d335fc0753880

    • SHA1

      ed1f8a4fe5a416fdda2ef0401e11fdfb56052754

    • SHA256

      b4f29f8cbbfa2d624fd3780c185da4e1a13854d5f05931a0a04098c802210dcb

    • SHA512

      1ffb90c0fe9e331bd24010330ab01b942d61750fe7648d2a9730550e82dbf1c51e71a311cc5055f72e997295ede2e6495175b4ee88ae53c98646c7ee3fb11363

    • SSDEEP

      24576:YMYeaPzN5i7lElsA0EZzyGNZV+3bZyn/l/TA4GoUwR:YMYeIN5i2GA0Cu+gUFTA4iwR

    Score
    10/10
    darkcloudexecutionstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks