darkcloud | 80df720f177171eec7bcaac47cd7842eba08f600d0afe6921d31c0b18aedb513 | Triage

Sharing

General

Target

INQUIRY_08.exe
Size

451KB
Sample

240819-rgprzsyckg
MD5

ab67bfa2e7c0a987db0134cee12939f6
SHA1

2fe2b6d71e450cd853bd43a7924c59d58f30423e
SHA256

80df720f177171eec7bcaac47cd7842eba08f600d0afe6921d31c0b18aedb513
SHA512

48b807dc4489813df2f2f567ef5e8627529758aef1b34a1f0e53889276e957c3146b124d01234469ce83aa3b69e86ec5a7fd9c1fe4d7754707795f51d0e221d0
SSDEEP

12288:4P/aECIO9hD0XB/e6NcYOo07wIOGMiS7bZc:4PyECImORjcYp0CGMVHG

Score

10^/10

darkcloud discovery persistence stealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot6686872771:AAGUwkUh0LMB8XwZ6Sv6jR4DHAsdZafImc0/sendMessage?chat_id=6542615755

Targets

- Target
  
  INQUIRY_08.exe
- Size
  
  451KB
- MD5
  
  ab67bfa2e7c0a987db0134cee12939f6
- SHA1
  
  2fe2b6d71e450cd853bd43a7924c59d58f30423e
- SHA256
  
  80df720f177171eec7bcaac47cd7842eba08f600d0afe6921d31c0b18aedb513
- SHA512
  
  48b807dc4489813df2f2f567ef5e8627529758aef1b34a1f0e53889276e957c3146b124d01234469ce83aa3b69e86ec5a7fd9c1fe4d7754707795f51d0e221d0
- SSDEEP
  
  12288:4P/aECIO9hD0XB/e6NcYOo07wIOGMiS7bZc:4PyECImORjcYp0CGMVHG
Score

10^/10

darkcloud discovery persistence stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkclouddiscoverypersistencestealer

behavioral2

darkclouddiscoverypersistencestealer