Resubmissions

04/03/2025, 06:10

250304-gxelvatjw2 10

28/02/2025, 01:17

250228-bnfvnaxk12 10

General

  • Target

    NoticeLetter.zip

  • Size

    6.1MB

  • Sample

    250304-gxelvatjw2

  • MD5

    d719d968395f173fa70576516514f656

  • SHA1

    bb0d08cd8fd734be4213a2a1449b059d8a39f1db

  • SHA256

    5ae9345b3b4cd9d4092c10f5aaf7effa4e62ab86501823f2b2c1244a5584b5cd

  • SHA512

    4a2877526970098000383c08436e7cb0ef547fb3a5794b94b0e7d244cd9ba23545b7f3fa9117c43d21764a81816eab15f79d239e69628536c821dc6bc49ceba8

  • SSDEEP

    196608:+YlwHbFgV19YcSDDw29d5hW0/XTu/0l0GwhA7LQg:+YMyv9gnwQd5M0/Xy/0Dh

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot8052153515:AAEy1R0ssCqYRtfr5MLZ5lbcuC9K_RdIieY/sendMessage?chat_id=5022382431

Targets

    • Target

      Notice Letter/Notice Letter (26 02 2025) 0349823.exe

    • Size

      633KB

    • MD5

      a3d33d33f8b10595c252ee8e61a8892c

    • SHA1

      f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

    • SHA256

      fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

    • SHA512

      5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

    • SSDEEP

      6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Notice Letter/tier0_s64.dll

    • Size

      410KB

    • MD5

      328655e0f2611479a90db044ab130373

    • SHA1

      d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

    • SHA256

      586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

    • SHA512

      8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

    • SSDEEP

      6144:3gOdWrN3L9iopicrVgNSpmbY+fNo809MmbtkrFCwXNmGzZ4gs7T3D3WG8dvB4h:3gOG3LEopVqYG2809DKriGzZ4g2rWwh

    Score
    1/10
    • Target

      Notice Letter/vstdlib_s64.dll

    • Size

      12.7MB

    • MD5

      90991fe4771d47c6d6a0f364417c0cd7

    • SHA1

      bf0584499aeca44b7bc1562cdf057f3156ad75af

    • SHA256

      0bf7f63b77f62865b2e08cb896bf8ec769985ece7be10247dbcaf5569b3f3476

    • SHA512

      f3c4867f0fa62aa5e887fe11ec824d1eb4ccfcce628a53b89f2adaa1af5bb5c66646ebdb80813d32de5ace57b305cbd730831eeda7e92b041e52527ccad8f05a

    • SSDEEP

      98304:/cw5hJvmFzInhG0o4twc6QzjBlxEpd86v38nd7TxqhdGI7jjJQFWL:/7H5ewhG0vo8BjE46v3K7Tx4dGIXjL

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks