General

  • Target

    1154039c4b1ff69d88c44d77a02d6f24c904e311880edd17b7ca9f5e4e1b26f4.exe

  • Size

    867KB

  • Sample

    250304-cknxjawqw2

  • MD5

    c42e6727062eb7dc29766e08f9fffa9b

  • SHA1

    fa88d10db31d2e2ddf4aa6e0855f1b5689322bab

  • SHA256

    1154039c4b1ff69d88c44d77a02d6f24c904e311880edd17b7ca9f5e4e1b26f4

  • SHA512

    195502111d2dd147c53f5954dfc6615eec6c1d193736c9cdec16f5f849f24c620f3390278dd4d73e5fc7dbbb6084726e7b7a8c7236aa1fc466faf1b071c32a2e

  • SSDEEP

    24576:qn83ilzaYx6s6ff7RzyqeqGo7k5VCpgX5pR/0un:f3izaY56rRznvx7w/TR/dn

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    @StrFtpServer
  • Port:
    21
  • Username:
    @StrFtpUser
  • Password:
    @StrFtpPass

Targets

    • Target

      1154039c4b1ff69d88c44d77a02d6f24c904e311880edd17b7ca9f5e4e1b26f4.exe

    • Size

      867KB

    • MD5

      c42e6727062eb7dc29766e08f9fffa9b

    • SHA1

      fa88d10db31d2e2ddf4aa6e0855f1b5689322bab

    • SHA256

      1154039c4b1ff69d88c44d77a02d6f24c904e311880edd17b7ca9f5e4e1b26f4

    • SHA512

      195502111d2dd147c53f5954dfc6615eec6c1d193736c9cdec16f5f849f24c620f3390278dd4d73e5fc7dbbb6084726e7b7a8c7236aa1fc466faf1b071c32a2e

    • SSDEEP

      24576:qn83ilzaYx6s6ff7RzyqeqGo7k5VCpgX5pR/0un:f3izaY56rRznvx7w/TR/dn

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks