General

  • Target

    2024-10-17_4d8af0b01c04ac421ac6a7ad075125b8_avoslocker_hijackloader

  • Size

    4.0MB

  • Sample

    241017-xlx7tatcjj

  • MD5

    4d8af0b01c04ac421ac6a7ad075125b8

  • SHA1

    5548c12f5db852cb8d6a5cd56b92dbae4b07dab4

  • SHA256

    8c37a0837f7bcd12069f743522feeaff1f6f153ec54de0d68169e7438897bec7

  • SHA512

    7fff68053e0498b84456639ad0fad1fc05bf9858a90f784ffc1b74793d0d5c4e2f612bd620703b79a10a9d5aa3f6bd0bfdc3924a52ec337fcff06b1423f7c003

  • SSDEEP

    98304:/xf7r67MbclCCF/qudOPOU/jIEeQfoR/IuOFVjUu5:567MkNRN8FIF0wu

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage?chat_id=7309975149

Targets

    • Target

      2024-10-17_4d8af0b01c04ac421ac6a7ad075125b8_avoslocker_hijackloader

    • Size

      4.0MB

    • MD5

      4d8af0b01c04ac421ac6a7ad075125b8

    • SHA1

      5548c12f5db852cb8d6a5cd56b92dbae4b07dab4

    • SHA256

      8c37a0837f7bcd12069f743522feeaff1f6f153ec54de0d68169e7438897bec7

    • SHA512

      7fff68053e0498b84456639ad0fad1fc05bf9858a90f784ffc1b74793d0d5c4e2f612bd620703b79a10a9d5aa3f6bd0bfdc3924a52ec337fcff06b1423f7c003

    • SSDEEP

      98304:/xf7r67MbclCCF/qudOPOU/jIEeQfoR/IuOFVjUu5:567MkNRN8FIF0wu

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks