Overview

overview

10

Static

static

1

purchase l...__.vbe

windows7-x64

8

purchase l...__.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a505236f48ec6248e0ad539e9359ad2f1c739120dfc77f3adcc510dd942cd671

  • Size

    4KB

  • Sample

    250228-m45phazjy7

  • MD5

    f85f110b13c0bb7d68af2fcad372f43a

  • SHA1

    e091b2f86925fa0bf079b747b0ebb281eb40e896

  • SHA256

    a505236f48ec6248e0ad539e9359ad2f1c739120dfc77f3adcc510dd942cd671

  • SHA512

    2b1332179bb57a569fccd94ba63a795c540400b402962fdb136a733e01e02bcde72f4bc9f5030f383187cb66b7dc18c0106644181bc5bbcb9c06b8732d20c03d

  • SSDEEP

    96:g8Jmsd5QyB/jFnnJkvpXEScMWjPDLHYGCW:Vmkhn0fcXj3Hnd

Score
10/10
darkcloudexecutionstealer

Malware Config

Targets

    • Target

      purchase list #8479734734-8843947347_____________________________.vbe

    • Size

      24KB

    • MD5

      5aea1615d1872e876da66200bc9e47fa

    • SHA1

      6fe3576517885705735762ff060e9068fd9fdbe9

    • SHA256

      c9a42d3cb9f1ff79d28112275dd9d598daa429c81912c171401fce5594f1f515

    • SHA512

      68a87c1bbbf107714634af224b46a02252c8fd7e3799dee8fa36e4e064be07f2e51e4fab20591d7e6e05de769a4aac7ae59ef3b70e95cd3b6cec77d028a05ccd

    • SSDEEP

      192:Lh1qAagTqDNmlc1sN+uc4f9caUxarPlP1K:qMqDAlnoP4VcaUxarK

    Score
    10/10
    executiondarkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks