General

  • Target

    0ab28016d1c705af8fbd02f6df029399638a6b257a891c9bee4b274bbfecdbd8

  • Size

    801KB

  • Sample

    241015-g9jfkatfjq

  • MD5

    48161c2966c60b3bf42960378eb76672

  • SHA1

    32baab2f1bacb4f4d8dbabae38acb9e1ea58e6d6

  • SHA256

    0ab28016d1c705af8fbd02f6df029399638a6b257a891c9bee4b274bbfecdbd8

  • SHA512

    4195a521f8cbd5083fb2afb42bc13735aec7ffc2e238a4bab96f8fdb49c0c951ea22c67806c12e8f609c4e6cf89930fe9b02f844fe09e430d476e003f72d66c5

  • SSDEEP

    24576:B2AZ0o2Z943VkbT4hXZ6E/vXlVuGJCXC7+CT+e:B2AZ/2ZW3Vk0/v1Vu2CXC+CTB

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      Quote-00373.exe

    • Size

      826KB

    • MD5

      b1c84580b3ed9a6a92745469090ea1df

    • SHA1

      a093025ae4dc574b5ce7dd9525fafea003cac18f

    • SHA256

      f4908b84c29c8157e12f3e8beddefbf853631d93714642309a5ba80c258fdc33

    • SHA512

      4a424f4abb4fe2e65d45bde5acf91685f413ae53d52f0748d4368a653470c1159050db2ab72dbd7919929dcd07a497c22f19f3d96bfb35a058435106f56e19ef

    • SSDEEP

      24576:rUgP0YW8EiCguUre4h3Z6A/vo+K+Mw97SuGJc6z46:r30zcCm3xvoe97Su2c6E6

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks