darkcloud | e47b77bf56b3fcc37782efc25ebafaac3af6ace16521943dfbee00266b2ce378 | Triage

Submit
Reports

Overview

overview

Static

static

1

purchase l...__.vbe

windows7-x64

8

purchase l...__.vbe

windows10-2004-x64

Sharing

General

Target

purchase list #8479734734-8843947347_____________________________.vbe
Size

11KB
Sample

250303-zf13maytft
MD5

9884baf8abdb370f9a9e9cfc6473fa02
SHA1

100a91e29963dacabfffe6f786f666b494460e4b
SHA256

e47b77bf56b3fcc37782efc25ebafaac3af6ace16521943dfbee00266b2ce378
SHA512

0df20a9ba3df27ab258494e1c49fa42c910a7ccb89845f41783710b49b122248c3ba833ce5e9b251fd908e93d4df49de13f10d0f134ab9e92916bd7a7e72a5dc
SSDEEP

192:gh1qAIWI4stbVUwsmxvoTsOGXB1krs1hNRdG1K:Ft7tbzxvoT3GXB1krs1hNRdGc

Score

10^/10

darkcloud discovery execution stealer

Static task

static1

Behavioral task

behavioral1

Sample

purchase list #8479734734-8843947347_____________________________.vbe

Resource

win7-20240903-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

purchase list #8479734734-8843947347_____________________________.vbe

Resource

win10v2004-20250217-en

darkcloud discovery execution stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Targets

- Target
  
  purchase list #8479734734-8843947347_____________________________.vbe
- Size
  
  11KB
- MD5
  
  9884baf8abdb370f9a9e9cfc6473fa02
- SHA1
  
  100a91e29963dacabfffe6f786f666b494460e4b
- SHA256
  
  e47b77bf56b3fcc37782efc25ebafaac3af6ace16521943dfbee00266b2ce378
- SHA512
  
  0df20a9ba3df27ab258494e1c49fa42c910a7ccb89845f41783710b49b122248c3ba833ce5e9b251fd908e93d4df49de13f10d0f134ab9e92916bd7a7e72a5dc
- SSDEEP
  
  192:gh1qAIWI4stbVUwsmxvoTsOGXB1krs1hNRdG1K:Ft7tbzxvoT3GXB1krs1hNRdGc
Score

10^/10

execution darkcloud discovery stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkclouddiscoveryexecutionstealer

© 2018-2025

Terms | Privacy