Overview

overview

10

Static

static

1

purchase l...__.vbe

windows7-x64

8

purchase l...__.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    purchase list #8479734734-8843947347_____________________________.lha

  • Size

    3KB

  • Sample

    250303-slem9a1mw4

  • MD5

    2b6fc847e886ef88325d9a89045c214e

  • SHA1

    292dd8114ec211ad5c08537866eb8f32e45fbbb4

  • SHA256

    decf78547abde6d5e113d80e7ab426c1ae1089595d4162b766064d666022ad06

  • SHA512

    91727bb9d098c707b18c42deae6ad71cd229b6decc6bd9de25fb5fc1c9b6723f50b9fe7a1beb953561074711130be596b719897eaf7dbeabd80c1e1537ac54d5

Score
10/10
darkcloudexecutionstealer

Malware Config

Targets

    • Target

      purchase list #8479734734-8843947347_____________________________.vbe

    • Size

      11KB

    • MD5

      9884baf8abdb370f9a9e9cfc6473fa02

    • SHA1

      100a91e29963dacabfffe6f786f666b494460e4b

    • SHA256

      e47b77bf56b3fcc37782efc25ebafaac3af6ace16521943dfbee00266b2ce378

    • SHA512

      0df20a9ba3df27ab258494e1c49fa42c910a7ccb89845f41783710b49b122248c3ba833ce5e9b251fd908e93d4df49de13f10d0f134ab9e92916bd7a7e72a5dc

    • SSDEEP

      192:gh1qAIWI4stbVUwsmxvoTsOGXB1krs1hNRdG1K:Ft7tbzxvoT3GXB1krs1hNRdGc

    Score
    10/10
    executiondarkcloudstealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks