General

  • Target

    b30c82760bfafad1a5fc9364af199c8b15d0f0002fd9e7ddf00aae6c000e4a68

  • Size

    3.1MB

  • Sample

    241019-ckfk6asfrn

  • MD5

    4cb01305a02d0e55270b6fb73ea03055

  • SHA1

    256d39173fd7074e3f7eeb329d2beee81779541b

  • SHA256

    b30c82760bfafad1a5fc9364af199c8b15d0f0002fd9e7ddf00aae6c000e4a68

  • SHA512

    bd6272bdb9a654aa345eb74a919534474eaf2ee968f02ed9780ef689612dc4fb66379ae96b54545a6ffd386a024449dc5816ee0a832708fbf52e27f722e458bf

  • SSDEEP

    98304:3xf7r67MbclCCF/qudOPKjKWQckVgtev5mnlNL:h67MkNRNFKWQc0gEYnvL

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage?chat_id=7309975149

Targets

    • Target

      b30c82760bfafad1a5fc9364af199c8b15d0f0002fd9e7ddf00aae6c000e4a68

    • Size

      3.1MB

    • MD5

      4cb01305a02d0e55270b6fb73ea03055

    • SHA1

      256d39173fd7074e3f7eeb329d2beee81779541b

    • SHA256

      b30c82760bfafad1a5fc9364af199c8b15d0f0002fd9e7ddf00aae6c000e4a68

    • SHA512

      bd6272bdb9a654aa345eb74a919534474eaf2ee968f02ed9780ef689612dc4fb66379ae96b54545a6ffd386a024449dc5816ee0a832708fbf52e27f722e458bf

    • SSDEEP

      98304:3xf7r67MbclCCF/qudOPKjKWQckVgtev5mnlNL:h67MkNRNFKWQc0gEYnvL

    • DarkCloud

      An information stealer written in Visual Basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks