General

  • Target

    Gun_Ici_Cek_Statu_Liste.xlxs.exe

  • Size

    821KB

  • Sample

    250306-j4ss6atsa1

  • MD5

    dd6e3f2c8adb69c1572d43235a7b530f

  • SHA1

    f73dd93046ad35a21a7c5f3a210f09e328a054fc

  • SHA256

    f18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6

  • SHA512

    d95d035bf78c97de1e5e21291d9e0d163acbbb47742a9a14e5422e21131d2e3576a7892cfd75467e36981f22b00e13dbd1bf7974e1caa61c2717d99f0f09c172

  • SSDEEP

    24576:FM02MZV6XHcbMqZYEtok6s2r1gBT7mSi9oSv:FVO8bxYMo7r1YHmBoS

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.condormalta.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ~N#]]bSO$0-R

Targets

    • Target

      Gun_Ici_Cek_Statu_Liste.xlxs.exe

    • Size

      821KB

    • MD5

      dd6e3f2c8adb69c1572d43235a7b530f

    • SHA1

      f73dd93046ad35a21a7c5f3a210f09e328a054fc

    • SHA256

      f18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6

    • SHA512

      d95d035bf78c97de1e5e21291d9e0d163acbbb47742a9a14e5422e21131d2e3576a7892cfd75467e36981f22b00e13dbd1bf7974e1caa61c2717d99f0f09c172

    • SSDEEP

      24576:FM02MZV6XHcbMqZYEtok6s2r1gBT7mSi9oSv:FVO8bxYMo7r1YHmBoS

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks