Overview

overview

10

Static

static

1

Doc_ORIGIN...DF.vbe

windows7-x64

8

Doc_ORIGIN...DF.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b26984a2e5d316747bde4ca8d8e4b22e93d28291b8ab333cbaa1379637c194a5

  • Size

    4KB

  • Sample

    250303-nb43yawxhw

  • MD5

    812e91e0236aaee528eaedfb749489ba

  • SHA1

    15cac4bf7fad0b240755e8b7968e5f52a713521e

  • SHA256

    b26984a2e5d316747bde4ca8d8e4b22e93d28291b8ab333cbaa1379637c194a5

  • SHA512

    cdab66cab92e594a6f0ce28b6440b3eeb4bcb97498699eec46f8546ba4a1f0788d101f93ae0678762e0700f09cf547028f176adf9464b89b3928bd2567f7488c

  • SSDEEP

    96:7Kxf2NgNu3GQuZlHV920MBfZWsIuFshJweGq26hsq+oJ5tC/:7++Nry/HV9XsqwehnukXS

Score
10/10
darkcloudexecutionstealer

Malware Config

Targets

    • Target

      Doc_ORIGINAL INVOICE.PDF.vbe

    • Size

      11KB

    • MD5

      a42951c5c7b173760e0025e53cfc7295

    • SHA1

      8a78b447f38ba47a8b685a657866da4897adbae4

    • SHA256

      737f41bd2f6388c78c25979c6c2318aff78657a3161fe6f50566f33155616a58

    • SHA512

      a71b9711337accdd9753df95ad593c7d2e67089dde13d4152dd970555c849ee4c2e1d39ed0e0c8c1970d38e092841f5f984c5b11051cef13510e4f65f4f1dffd

    • SSDEEP

      192:gh1qAIWI4sqbVUwsmxvoTsJQgMIzeaAwdnK:Ft7qbzxvoTPg5zeaAwdK

    Score
    10/10
    executiondarkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks