darkcloud | 6a3a296b6bc17c71c15089e59a07de7a564b694d1f841b382f3ec8b15bcff29d | Triage

Sharing

General

Target

8_REF-REFERENCE-ORDER-QUOTATION-DETAILS.rar
Size

1.4MB
Sample

250303-l2rt7avvgs
MD5

21733aa9c7f074166214aed407267ee2
SHA1

e7155c20910a18ac86ffd6b068ffac08f5bb7667
SHA256

6a3a296b6bc17c71c15089e59a07de7a564b694d1f841b382f3ec8b15bcff29d
SHA512

ccc5a7c5bd3b586fff81f7cc34f799fd0e3b5474bf5d7fa408d689455e5a805cb03cc86c3fa6f401519d852b184403341da46aab1cc95fec56e0114f98c51a81
SSDEEP

24576:TZib+ZmlFJZQdJwop15/faixgG9LRq0AlLppLa9Oph57ZuH2iBlHFkStTU:cbkwJSdqon5/faQgGZRs29Odty2iBlHy

Score

10^/10

darkcloud modiloader discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

darkcloud

Credentials

Protocol: ftp
Host:
@StrFtpServer
Port:
21
Username:
@StrFtpUser
Password:
@StrFtpPass

Targets

- Target
  
  REF-REFERENCE-ORDER-QUOTATION-DETAILS.cmd
- Size
  
  5.0MB
- MD5
  
  61acf73d931438d77e85e31f3b5d8e6a
- SHA1
  
  2abe35f912290a8d4ddaa4485266e9d441d7eb13
- SHA256
  
  7b8008ab3703f5e1bfaf4d2970c133068fbdba704c311819e282c4456866afdc
- SHA512
  
  1efb0f8ec52b3ee0a3902ce89d70de6bcc117493f2a46265f8d1b1b7e50542b0f39b7a15e3f40a562cd98c591ac328c44504dee8f8f05186f750e26a3832f637
- SSDEEP
  
  49152:sZZC85MQCbNigm89TxcS/OCjapGp2eq2PDdpGuC3JClhJphPv/84LuSNtGaSy6Qm:C
Score

10^/10

modiloader discovery trojan darkcloud persistence spyware stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderdiscoverytrojan

behavioral2

darkcloudmodiloaderdiscoverypersistencespywarestealertrojan