General

  • Target

    2024-10-17_ea944ea17b1d5c59903b14c447e1155b_avoslocker_hijackloader

  • Size

    3.8MB

  • Sample

    241017-xl4platckj

  • MD5

    ea944ea17b1d5c59903b14c447e1155b

  • SHA1

    73b05a2395ce64a336b449d9a57a3066caaca00b

  • SHA256

    239db8e185b4157bd9ed4ada425cade5a92d5691fd559a8f8f34f70ad967feb0

  • SHA512

    e8e4cae6d95b649295ff91f343a9abe137633ee9201a5203ec3e96e463c4d560bc8e99cfa3ebd16f64589e851287169e59196d91b24333fd08c299de4015ca09

  • SSDEEP

    98304:RWbYaHEIR4KAe4phfRNQOU/jIEeQfoR/IuOFVjUu5:ROY0rMDaFIF0wu

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot7931237700:AAFORR1Anw56W1hHiiNueaGqnQE3qJUmrxQ/sendMessage?chat_id=5483672364

Targets

    • Target

      2024-10-17_ea944ea17b1d5c59903b14c447e1155b_avoslocker_hijackloader

    • Size

      3.8MB

    • MD5

      ea944ea17b1d5c59903b14c447e1155b

    • SHA1

      73b05a2395ce64a336b449d9a57a3066caaca00b

    • SHA256

      239db8e185b4157bd9ed4ada425cade5a92d5691fd559a8f8f34f70ad967feb0

    • SHA512

      e8e4cae6d95b649295ff91f343a9abe137633ee9201a5203ec3e96e463c4d560bc8e99cfa3ebd16f64589e851287169e59196d91b24333fd08c299de4015ca09

    • SSDEEP

      98304:RWbYaHEIR4KAe4phfRNQOU/jIEeQfoR/IuOFVjUu5:ROY0rMDaFIF0wu

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks