Overview

overview

10

Static

static

3

Letter of ...23.exe

windows10-2004-x64

10

tier0_s64.dll

windows10-2004-x64

1

vstdlib_s64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Letter of claim (26 02 2025) 0349823.zip

  • Size

    6.3MB

  • Sample

    250303-kcqp6asydt

  • MD5

    4b7fbbdd423e36d2a9be4348514d0076

  • SHA1

    272456ae27b322afec4f2862d4c03d1f4d5ba2be

  • SHA256

    d068a9f3cad88beca8f78cb36ecf5643746d9d833d60c889a8c5b8550ecdefa3

  • SHA512

    8aa4dc4a33921ee22b657040b7e5477f2331bf8d12da59659db80df8d229e0a078f6f548d7cf1e54c087fac4325cb4d4a1b1da2d327155ab88d5c3dd80d81eb7

  • SSDEEP

    196608:VErD8kB7YX7w2UgUj9t7jtgxaWoC7dyc8QSxvCY:y807em3jG7dyclSxv

Score
10/10
darkclouddiscoverypersistencestealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot8052153515:AAEy1R0ssCqYRtfr5MLZ5lbcuC9K_RdIieY/sendMessage?chat_id=5022382431

Targets

    • Target

      Letter of claim (26 02 2025) 0349823.exe

    • Size

      633KB

    • MD5

      a3d33d33f8b10595c252ee8e61a8892c

    • SHA1

      f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

    • SHA256

      fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

    • SHA512

      5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

    • SSDEEP

      6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

    Score
    10/10
    darkclouddiscoverypersistencestealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      tier0_s64.dll

    • Size

      410KB

    • MD5

      328655e0f2611479a90db044ab130373

    • SHA1

      d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

    • SHA256

      586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

    • SHA512

      8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

    • SSDEEP

      6144:3gOdWrN3L9iopicrVgNSpmbY+fNo809MmbtkrFCwXNmGzZ4gs7T3D3WG8dvB4h:3gOG3LEopVqYG2809DKriGzZ4g2rWwh

    Score
    1/10
    behavioral2

    • Target

      vstdlib_s64.dll

    • Size

      12.7MB

    • MD5

      90991fe4771d47c6d6a0f364417c0cd7

    • SHA1

      bf0584499aeca44b7bc1562cdf057f3156ad75af

    • SHA256

      0bf7f63b77f62865b2e08cb896bf8ec769985ece7be10247dbcaf5569b3f3476

    • SHA512

      f3c4867f0fa62aa5e887fe11ec824d1eb4ccfcce628a53b89f2adaa1af5bb5c66646ebdb80813d32de5ace57b305cbd730831eeda7e92b041e52527ccad8f05a

    • SSDEEP

      98304:/cw5hJvmFzInhG0o4twc6QzjBlxEpd86v38nd7TxqhdGI7jjJQFWL:/7H5ewhG0vo8BjE46v3K7Tx4dGIXjL

    Score
    10/10
    darkclouddiscoverystealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Suspicious use of SetThreadContext

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks