General

  • Target

    BANK STATEMENT REPORT.exe

  • Size

    981KB

  • Sample

    241003-g5224ssfqg

  • MD5

    11e3eec9035239203976f9847453ece4

  • SHA1

    6198ac8abbf805341fe982dbb76f676fddb280bb

  • SHA256

    88b07657500a548ed8476fa415896d2179c307d4751917ca892119c3fff120b0

  • SHA512

    0a3e247cd1168bb91a37b8dfe50a2f20f3ef0d81e4edfe3a209ed7badd9caacdc639e2d0285ddfcdb0a75eaf90d37b21c57c838264b3f3431f3a27c560d1ab14

  • SSDEEP

    24576:bnOxmRc2cFD8ej9XqzazPMi9J3/KEYTVOSET:Cxm22c7XXN9J3fR

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      BANK STATEMENT REPORT.exe

    • Size

      981KB

    • MD5

      11e3eec9035239203976f9847453ece4

    • SHA1

      6198ac8abbf805341fe982dbb76f676fddb280bb

    • SHA256

      88b07657500a548ed8476fa415896d2179c307d4751917ca892119c3fff120b0

    • SHA512

      0a3e247cd1168bb91a37b8dfe50a2f20f3ef0d81e4edfe3a209ed7badd9caacdc639e2d0285ddfcdb0a75eaf90d37b21c57c838264b3f3431f3a27c560d1ab14

    • SSDEEP

      24576:bnOxmRc2cFD8ej9XqzazPMi9J3/KEYTVOSET:Cxm22c7XXN9J3fR

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks