General

  • Target

    54ee265c54296cc6ac3ce087daddc93e4cf907f218b158bd5e41192303f23479

  • Size

    840KB

  • Sample

    250305-byg6gavnv2

  • MD5

    85188472721016560ab6aba6339055c8

  • SHA1

    d0ee268727799d8656abc332185b9f2272c8fc53

  • SHA256

    54ee265c54296cc6ac3ce087daddc93e4cf907f218b158bd5e41192303f23479

  • SHA512

    237edf06bb82c14b229e3479c52c780606891f1acf95a84e743f36c3ef7a4257bae86067e6577aedf87dd423b5d352ecf687c33e1d38f3604c4e517cac6a70b7

  • SSDEEP

    24576:fBilzazVZyrHtZGw+/JdQUtSmjl6zvTFie0oaC:fBizazVZaGw+j1ku8vTFz0oaC

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.condormalta.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ~N#]]bSO$0-R

Targets

    • Target

      54ee265c54296cc6ac3ce087daddc93e4cf907f218b158bd5e41192303f23479

    • Size

      840KB

    • MD5

      85188472721016560ab6aba6339055c8

    • SHA1

      d0ee268727799d8656abc332185b9f2272c8fc53

    • SHA256

      54ee265c54296cc6ac3ce087daddc93e4cf907f218b158bd5e41192303f23479

    • SHA512

      237edf06bb82c14b229e3479c52c780606891f1acf95a84e743f36c3ef7a4257bae86067e6577aedf87dd423b5d352ecf687c33e1d38f3604c4e517cac6a70b7

    • SSDEEP

      24576:fBilzazVZyrHtZGw+/JdQUtSmjl6zvTFie0oaC:fBizazVZaGw+j1ku8vTFz0oaC

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks