Resubmissions

05/03/2025, 06:10

250305-gxhnha1mx3 10

05/03/2025, 06:07

250305-gvjg1s1ms5 10

05/03/2025, 06:03

250305-gsjp1a1lx8 10

General

  • Target

    malw.exe

  • Size

    1004KB

  • Sample

    250305-gxhnha1mx3

  • MD5

    3156c039ac4398f39061e0db79c297dd

  • SHA1

    0dedc7bbd2cc3104a545ac9e938ef6cb4a9bcdaf

  • SHA256

    3e2312f98954bf8411a1a13b8f56a39a23e24743eec56b237405b6acdea9f528

  • SHA512

    5dafea638e522baacf58bf23169ac123afbaee94f1496b52e07047b67f3a841f253500d6e5a92c69ac7c89e22d725eafe3e2376af2a1e8efca1e204d11861989

  • SSDEEP

    12288:fTeLfUucNs4tqjIqPw0RSOqwXiPZ1SSi08cd0ivkI74N4OxqwxHLdm5HY66fsHtx:fibYSgp4w0SOqwXimSXVvkIw4gRpjKD

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    @StrFtpServer
  • Port:
    21
  • Username:
    @StrFtpUser
  • Password:
    @StrFtpPass

Targets

    • Target

      malw.exe

    • Size

      1004KB

    • MD5

      3156c039ac4398f39061e0db79c297dd

    • SHA1

      0dedc7bbd2cc3104a545ac9e938ef6cb4a9bcdaf

    • SHA256

      3e2312f98954bf8411a1a13b8f56a39a23e24743eec56b237405b6acdea9f528

    • SHA512

      5dafea638e522baacf58bf23169ac123afbaee94f1496b52e07047b67f3a841f253500d6e5a92c69ac7c89e22d725eafe3e2376af2a1e8efca1e204d11861989

    • SSDEEP

      12288:fTeLfUucNs4tqjIqPw0RSOqwXiPZ1SSi08cd0ivkI74N4OxqwxHLdm5HY66fsHtx:fibYSgp4w0SOqwXimSXVvkIw4gRpjKD

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks