General

  • Target

    19284564528.zip

  • Size

    884KB

  • Sample

    241010-fx1zeaybjf

  • MD5

    6899cd58a6f22f7f087f1126c4eb7745

  • SHA1

    70885ca8e9605d87b6390e73935145e4d3224494

  • SHA256

    88c5e6caa9880e682f748b55da70450279adf5d568bbf72a1522a39db199212f

  • SHA512

    77907697000ca1a44e080f5f3ad47b57873c25d0ad127cce44daf1f54cff1578a817f667a391929e6a9ae53eee6e80b205c1d2bb8b7ac341cd85ed5068e47f87

  • SSDEEP

    24576:2VMqJ88vJMJT1cPPcJdd0WoR4FUHwOfRaGtUBmzrVamwrnPKmHcK+cf:2VMqJ88vJMJ1H0U6HwOfAvErMLPKG1

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      PROFORMA INVOICE.exe

    • Size

      982KB

    • MD5

      89768b71499c0eb974853e8e3f0cf5c4

    • SHA1

      be5b1ac72323e8e92643d3e0804d83b902ba486b

    • SHA256

      5489a717a23f4b7e2f250429554bd8a3d744970e1bfabe2162c9eb2fa8c04df8

    • SHA512

      badad67ac5109fe02d03f6685329ca30a057eb7b07706a1508854f86fd1339d578147e5beee0e084dc7eb6046288da26aefdbfea4e222eda005205307d962654

    • SSDEEP

      24576:gWTx232DgTe6ATI2Kw5JdnFjXX7juCCmOhsN:jAV3ATIts1VXPuBh

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks