General

  • Target

    z10RFQ-202401.exe

  • Size

    1021KB

  • Sample

    241009-hs8jssvgqg

  • MD5

    82a8f6b951126abaa0e884cb6e5a9b19

  • SHA1

    7eb443ea956a5de3159dd38206460809345d1436

  • SHA256

    ec0d72589beb5612e587061560e3b55a728b71642f60b1d4ae095bcdaab57fc8

  • SHA512

    07fcd2fd9366072a5d602726f16fb0b832e2e1ad122da0f4ec30bf3bb8042c92bd7d76ae5a0a47bcf6a973fa6add07f617207616377f95aa47ee8971a0b685b1

  • SSDEEP

    24576:JoaKAfTxOCPSKRxHkB6a6Fbdh9WWUO4dJ7EE:JoaKyTxrvxHTaebbsoE

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5723230539:AAHXr6rmQsEsq1CdwKBxLF-mnANEsBE4mYk

Targets

    • Target

      z10RFQ-202401.exe

    • Size

      1021KB

    • MD5

      82a8f6b951126abaa0e884cb6e5a9b19

    • SHA1

      7eb443ea956a5de3159dd38206460809345d1436

    • SHA256

      ec0d72589beb5612e587061560e3b55a728b71642f60b1d4ae095bcdaab57fc8

    • SHA512

      07fcd2fd9366072a5d602726f16fb0b832e2e1ad122da0f4ec30bf3bb8042c92bd7d76ae5a0a47bcf6a973fa6add07f617207616377f95aa47ee8971a0b685b1

    • SSDEEP

      24576:JoaKAfTxOCPSKRxHkB6a6Fbdh9WWUO4dJ7EE:JoaKyTxrvxHTaebbsoE

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks