General

  • Target

    688c929b7be5c31a2a5410394024f9dea1bcfc62af0c24237d2b23b8fea70055.exe

  • Size

    312KB

  • Sample

    250310-pjh14strv6

  • MD5

    a96c59a13f39027b83fc5d9e2222edc7

  • SHA1

    62233614e0ad9d4a5abe2b10d2f368a5651f6667

  • SHA256

    688c929b7be5c31a2a5410394024f9dea1bcfc62af0c24237d2b23b8fea70055

  • SHA512

    49c300c1ec38bd09674b427dfaa91a847ba10f3dec79f88a27a9fdb9e72ea6ad7af90db28907d6131f183b50a7e904a16f018784a2971beb5005793f6c92c084

  • SSDEEP

    3072:tADMz9yd8VWBQiz9gVDywSzirNPU4y3HVeBszXxSG8BJWrjKnTHIgLT1vJBtQPIX:/9yd8VWBQizZwrU4kHMaBSQjb2QPQo4

Malware Config

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    @StrFtpServer
  • Port:
    21
  • Username:
    @StrFtpUser
  • Password:
    @StrFtpPass

Targets

    • Target

      688c929b7be5c31a2a5410394024f9dea1bcfc62af0c24237d2b23b8fea70055.exe

    • Size

      312KB

    • MD5

      a96c59a13f39027b83fc5d9e2222edc7

    • SHA1

      62233614e0ad9d4a5abe2b10d2f368a5651f6667

    • SHA256

      688c929b7be5c31a2a5410394024f9dea1bcfc62af0c24237d2b23b8fea70055

    • SHA512

      49c300c1ec38bd09674b427dfaa91a847ba10f3dec79f88a27a9fdb9e72ea6ad7af90db28907d6131f183b50a7e904a16f018784a2971beb5005793f6c92c084

    • SSDEEP

      3072:tADMz9yd8VWBQiz9gVDywSzirNPU4y3HVeBszXxSG8BJWrjKnTHIgLT1vJBtQPIX:/9yd8VWBQizZwrU4kHMaBSQjb2QPQo4

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks