General

  • Target

    1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb.exe

  • Size

    797KB

  • Sample

    250310-n2zadatlx7

  • MD5

    0114ecfd983f457204164e0f72adbf78

  • SHA1

    26fd0dc11aceeb4e0e8b59bb357fb3c9c33d417a

  • SHA256

    1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb

  • SHA512

    48d250d3b802dcf248e5133b338a800e8b877a1763dac9f0dd75f655ed5f50232c046dc4ce9bb4982fae50c3022c0f9593e1d0c6a62c15ae18b29d34f3895260

  • SSDEEP

    12288:xrgGXFJPY52q7Lv/V4eWSskHV8RLb2mnSAi/zB6CCOtpQCfd8fmM:xDg2q7ZBgdRLb240/zfQI2

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.dorasanat.com.tr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    2ynT]th~+-pD

Targets

    • Target

      1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb.exe

    • Size

      797KB

    • MD5

      0114ecfd983f457204164e0f72adbf78

    • SHA1

      26fd0dc11aceeb4e0e8b59bb357fb3c9c33d417a

    • SHA256

      1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb

    • SHA512

      48d250d3b802dcf248e5133b338a800e8b877a1763dac9f0dd75f655ed5f50232c046dc4ce9bb4982fae50c3022c0f9593e1d0c6a62c15ae18b29d34f3895260

    • SSDEEP

      12288:xrgGXFJPY52q7Lv/V4eWSskHV8RLb2mnSAi/zB6CCOtpQCfd8fmM:xDg2q7ZBgdRLb240/zfQI2

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks