General
-
Target
Gun_Ici_Cek_Statu_Liste.xlxs.exe
-
Size
821KB
-
Sample
250306-j4ss6atsa1
-
MD5
dd6e3f2c8adb69c1572d43235a7b530f
-
SHA1
f73dd93046ad35a21a7c5f3a210f09e328a054fc
-
SHA256
f18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6
-
SHA512
d95d035bf78c97de1e5e21291d9e0d163acbbb47742a9a14e5422e21131d2e3576a7892cfd75467e36981f22b00e13dbd1bf7974e1caa61c2717d99f0f09c172
-
SSDEEP
24576:FM02MZV6XHcbMqZYEtok6s2r1gBT7mSi9oSv:FVO8bxYMo7r1YHmBoS
Static task
static1
Behavioral task
behavioral1
Sample
Gun_Ici_Cek_Statu_Liste.xlxs.exe
Resource
win7-20241010-en
Malware Config
Extracted
darkcloud
Protocol: ftp- Host:
ftp.condormalta.com - Port:
21 - Username:
[email protected] - Password:
~N#]]bSO$0-R
Targets
-
-
Target
Gun_Ici_Cek_Statu_Liste.xlxs.exe
-
Size
821KB
-
MD5
dd6e3f2c8adb69c1572d43235a7b530f
-
SHA1
f73dd93046ad35a21a7c5f3a210f09e328a054fc
-
SHA256
f18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6
-
SHA512
d95d035bf78c97de1e5e21291d9e0d163acbbb47742a9a14e5422e21131d2e3576a7892cfd75467e36981f22b00e13dbd1bf7974e1caa61c2717d99f0f09c172
-
SSDEEP
24576:FM02MZV6XHcbMqZYEtok6s2r1gBT7mSi9oSv:FVO8bxYMo7r1YHmBoS
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2