General

  • Target

    78c596ef6b627c0210c528adda497162ef323dcb880edc19a1baa67c34e04906.exe

  • Size

    829KB

  • Sample

    250305-dgl47sxjs2

  • MD5

    e7985f412b8dda457c2d953cc2bcebb0

  • SHA1

    f2c2d4850d5d0a874495259f3b8c48a934d9d3a4

  • SHA256

    78c596ef6b627c0210c528adda497162ef323dcb880edc19a1baa67c34e04906

  • SHA512

    5749ca3397e1093e647ef77b2d8509c852b7d7c27db1793997a98bd6674254d15b2e15b8fe38e208c48807fb60cae34a232da4da5c8157310d4e1c6ecbd668e2

  • SSDEEP

    24576:iqilza9TFsbVxbMTbWWzvfhKAwmuWZgITsWZrLVkzoEd6:iqizaEh2xzPuWdXkcf

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    @StrFtpServer
  • Port:
    21
  • Username:
    @StrFtpUser
  • Password:
    @StrFtpPass

Targets

    • Target

      78c596ef6b627c0210c528adda497162ef323dcb880edc19a1baa67c34e04906.exe

    • Size

      829KB

    • MD5

      e7985f412b8dda457c2d953cc2bcebb0

    • SHA1

      f2c2d4850d5d0a874495259f3b8c48a934d9d3a4

    • SHA256

      78c596ef6b627c0210c528adda497162ef323dcb880edc19a1baa67c34e04906

    • SHA512

      5749ca3397e1093e647ef77b2d8509c852b7d7c27db1793997a98bd6674254d15b2e15b8fe38e208c48807fb60cae34a232da4da5c8157310d4e1c6ecbd668e2

    • SSDEEP

      24576:iqilza9TFsbVxbMTbWWzvfhKAwmuWZgITsWZrLVkzoEd6:iqizaEh2xzPuWdXkcf

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks