General

  • Target

    b268d64c974f59357621dbc9daff9f033abf2703ee2e4cb971c09210dee7be5c.exe

  • Size

    312KB

  • Sample

    250310-phwwkstrt4

  • MD5

    8f14f13dc44f85ff56cdf0ed7a6b983a

  • SHA1

    5edb47220a6886ae60c7bd8d2b4e3db90fd5a214

  • SHA256

    b268d64c974f59357621dbc9daff9f033abf2703ee2e4cb971c09210dee7be5c

  • SHA512

    8b58f6a89785560f535e648a6c4f9245e1d57776f39e7c3ad11aa1c694377dbc53eb35cba803487ee345becb8aa79d47f5dd0dcedfba68ef522e3c55f6a16d2e

  • SSDEEP

    6144:d93dhw0VJBQ+5aKY9vVly9UYVXtFHVv7SojJdo4:81KY9vV0K8tFVmo

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    @StrFtpServer
  • Port:
    21
  • Username:
    @StrFtpUser
  • Password:
    @StrFtpPass

Targets

    • Target

      b268d64c974f59357621dbc9daff9f033abf2703ee2e4cb971c09210dee7be5c.exe

    • Size

      312KB

    • MD5

      8f14f13dc44f85ff56cdf0ed7a6b983a

    • SHA1

      5edb47220a6886ae60c7bd8d2b4e3db90fd5a214

    • SHA256

      b268d64c974f59357621dbc9daff9f033abf2703ee2e4cb971c09210dee7be5c

    • SHA512

      8b58f6a89785560f535e648a6c4f9245e1d57776f39e7c3ad11aa1c694377dbc53eb35cba803487ee345becb8aa79d47f5dd0dcedfba68ef522e3c55f6a16d2e

    • SSDEEP

      6144:d93dhw0VJBQ+5aKY9vVly9UYVXtFHVv7SojJdo4:81KY9vV0K8tFVmo

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks