Overview

overview

10

Static

static

1

purchase l...47.vbe

windows7-x64

8

purchase l...47.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    purchase list #8479734734-8843947347.vbe

  • Size

    24KB

  • Sample

    250228-sejnmazzaw

  • MD5

    5aea1615d1872e876da66200bc9e47fa

  • SHA1

    6fe3576517885705735762ff060e9068fd9fdbe9

  • SHA256

    c9a42d3cb9f1ff79d28112275dd9d598daa429c81912c171401fce5594f1f515

  • SHA512

    68a87c1bbbf107714634af224b46a02252c8fd7e3799dee8fa36e4e064be07f2e51e4fab20591d7e6e05de769a4aac7ae59ef3b70e95cd3b6cec77d028a05ccd

  • SSDEEP

    192:Lh1qAagTqDNmlc1sN+uc4f9caUxarPlP1K:qMqDAlnoP4VcaUxarK

Score
10/10
darkcloudexecutionstealer

Malware Config

Targets

    • Target

      purchase list #8479734734-8843947347.vbe

    • Size

      24KB

    • MD5

      5aea1615d1872e876da66200bc9e47fa

    • SHA1

      6fe3576517885705735762ff060e9068fd9fdbe9

    • SHA256

      c9a42d3cb9f1ff79d28112275dd9d598daa429c81912c171401fce5594f1f515

    • SHA512

      68a87c1bbbf107714634af224b46a02252c8fd7e3799dee8fa36e4e064be07f2e51e4fab20591d7e6e05de769a4aac7ae59ef3b70e95cd3b6cec77d028a05ccd

    • SSDEEP

      192:Lh1qAagTqDNmlc1sN+uc4f9caUxarPlP1K:qMqDAlnoP4VcaUxarK

    Score
    10/10
    executiondarkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks