General

  • Target

    89e6160e32209269ad970188bb47901b0d87dfd79529ff67018741667ef1d6ac

  • Size

    3.1MB

  • Sample

    241019-anm4asxgqm

  • MD5

    cd5452a9c50eb17b589f657f1cb945e7

  • SHA1

    66be2220c74ac8de5c593e508aa21a244a7457e6

  • SHA256

    89e6160e32209269ad970188bb47901b0d87dfd79529ff67018741667ef1d6ac

  • SHA512

    22cd9f97a370aad1ac1e3f77a98204fe937ba558f6c7b880e835333a6068dcb64bac1b9ee054ea10ba1cb87e505c1454e9b5d008ab5a3498598abac12c14c71c

  • SSDEEP

    98304:DWbYaHEIR4KAe4phfRN+WbYaHEIR4KAe4phfRN:DOY0rMDkOY0rMD

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot7931237700:AAFORR1Anw56W1hHiiNueaGqnQE3qJUmrxQ/sendMessage?chat_id=5483672364

Targets

    • Target

      89e6160e32209269ad970188bb47901b0d87dfd79529ff67018741667ef1d6ac

    • Size

      3.1MB

    • MD5

      cd5452a9c50eb17b589f657f1cb945e7

    • SHA1

      66be2220c74ac8de5c593e508aa21a244a7457e6

    • SHA256

      89e6160e32209269ad970188bb47901b0d87dfd79529ff67018741667ef1d6ac

    • SHA512

      22cd9f97a370aad1ac1e3f77a98204fe937ba558f6c7b880e835333a6068dcb64bac1b9ee054ea10ba1cb87e505c1454e9b5d008ab5a3498598abac12c14c71c

    • SSDEEP

      98304:DWbYaHEIR4KAe4phfRN+WbYaHEIR4KAe4phfRN:DOY0rMDkOY0rMD

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks