General

  • Target

    Pro_Details_17256.vbe

  • Size

    11KB

  • Sample

    250305-jge9jssxbz

  • MD5

    9f6610b7f362319fe51369213f18cf40

  • SHA1

    d5d9f5052488e78b7324765592f26f85ab32b780

  • SHA256

    fa1dbfb0f234eb04893d9473ab107ee50e4073b0d6bfdd6c54b168c5f5388867

  • SHA512

    ad844f4f41536426934cd763d0314a6e69f58de12b232e6361537a6e0f414046f154b8424f7375f4da26fe47b4a8060e9e12f8d1322680da483ec6aa5bb0b4ca

  • SSDEEP

    192:Lh1qXSnEgAyK31ldY2nX3V0JlaUfnR1QCgsfpF3cK:qCnEMK31l2MXK7LfnsCgG9d

Malware Config

Extracted

Family

darkcloud

Attributes

Targets

    • Target

      Pro_Details_17256.vbe

    • Size

      11KB

    • MD5

      9f6610b7f362319fe51369213f18cf40

    • SHA1

      d5d9f5052488e78b7324765592f26f85ab32b780

    • SHA256

      fa1dbfb0f234eb04893d9473ab107ee50e4073b0d6bfdd6c54b168c5f5388867

    • SHA512

      ad844f4f41536426934cd763d0314a6e69f58de12b232e6361537a6e0f414046f154b8424f7375f4da26fe47b4a8060e9e12f8d1322680da483ec6aa5bb0b4ca

    • SSDEEP

      192:Lh1qXSnEgAyK31ldY2nX3V0JlaUfnR1QCgsfpF3cK:qCnEMK31l2MXK7LfnsCgG9d

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks