General

  • Target

    PROFORMA INVOICE.arj

  • Size

    884KB

  • Sample

    241003-e6m88sycpb

  • MD5

    3f9ad9cebe273f2e650ed2357905ff26

  • SHA1

    fa9671fb630829739846c136629ab48ae3d689f0

  • SHA256

    ccdf54b8450d34d8c6a114598278a88b1807d6c5e447f45b746acc14193e773a

  • SHA512

    8ce2b3c803e0491ba67900c87248bbabf711b7cbebe817eaaad97b1bf8d3ce00f1964a799f4dc3d06c771dfefed7af6317725ca250e7837bc456094c7d9fcccd

  • SSDEEP

    12288:BRelGnwr8TpUaY5oLdIXFhgEfoiJ2T0x3YMo90gmNlGLMxlryedyVriSjF1tpbAJ:+lOPyaYee1SRDMYJ0g0lGLMbypJc3uS

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      PROFORMA INVOICE.exe

    • Size

      982KB

    • MD5

      89768b71499c0eb974853e8e3f0cf5c4

    • SHA1

      be5b1ac72323e8e92643d3e0804d83b902ba486b

    • SHA256

      5489a717a23f4b7e2f250429554bd8a3d744970e1bfabe2162c9eb2fa8c04df8

    • SHA512

      badad67ac5109fe02d03f6685329ca30a057eb7b07706a1508854f86fd1339d578147e5beee0e084dc7eb6046288da26aefdbfea4e222eda005205307d962654

    • SSDEEP

      24576:gWTx232DgTe6ATI2Kw5JdnFjXX7juCCmOhsN:jAV3ATIts1VXPuBh

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks