darkcloud | 2eb2f5bee8cdedefe8abc594fc99ff1ff56f3b2cba32742efe7c97ccea5c7971

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

1.2MB
MD5

7ed712c21a1da57aa34c94f6112532fb
SHA1

a094f67f0db0260bc2cd11be4e1d8769f0378720
SHA256

2eb2f5bee8cdedefe8abc594fc99ff1ff56f3b2cba32742efe7c97ccea5c7971
SHA512

4bcaefc164f3ced4e129ba20168e8cde0eeb56f31331a2bb7af6408ee048b4fe128e1d5eaad77533d1b1cc0f8b79eb2877f3f35a94baedd19267aaa260193579
SSDEEP

24576:PAHnh+eWsN3skA4RV1Hom2KXFmIaHgc52ROsHneqwN0+A5:yh+ZkldoPK1XaAcgROkeqxJ

Score

10^/10

darkcloud discovery stealer

Malware Config

Extracted

Family

darkcloud

Attributes

email_from
[email protected]
email_to
[email protected]

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hypopygidium.vbs	hypopygidium.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	hypopygidium.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000001db4f-15.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 4984	4528	hypopygidium.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hypopygidium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4528	hypopygidium.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1492	start.exe
1492	start.exe
4528	hypopygidium.exe
4528	hypopygidium.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1492	start.exe
1492	start.exe
4528	hypopygidium.exe
4528	hypopygidium.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4528	1492	start.exe	88
PID 1492 wrote to memory of 4528	1492	start.exe	88
PID 1492 wrote to memory of 4528	1492	start.exe	88
PID 4528 wrote to memory of 4984	4528	hypopygidium.exe	91
PID 4528 wrote to memory of 4984	4528	hypopygidium.exe	91
PID 4528 wrote to memory of 4984	4528	hypopygidium.exe	91
PID 4528 wrote to memory of 4984	4528	hypopygidium.exe	91

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\kinematical\hypopygidium.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\murky

Filesize
252KB

MD5
03cf60c0a0a98016c79c51ccc686d5ea

SHA1
9cc763f35e2039341747f6e4ec52275536c707e5

SHA256
2d53157a316d61a170fa7500ee10af7986bf10c8bd67d3863c645729974417f4

SHA512
8f2abf8551b694db766fc7c73d28676906d45ea5e7d9ef35e6eb7e1f2e57056172f2bf2a700b8bbfe9ec13424c144f37e57874303c7d66a5456a790efab3ce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\unrosined

Filesize
464KB

MD5
c12aefeb8672e360ae6a80e2b7cc40cc

SHA1
85dad80ab7e705ee1d1f5c577a1b08fa91208b98

SHA256
5f5fe30c0d2d55798317bc4fea2c122ab5eb00b208ceb0982210fb1301e88fe1

SHA512
253bf3c86ec54f8472acfbd76b79c6f6b2682fadb2ede3d9919cac7d9075d7969e83f8e3de4ac1d3886056f51d0e64f036670f44e9a1294424642ab59917f043

Download Submit
C:\Users\Admin\AppData\Local\kinematical\hypopygidium.exe

Filesize
1.2MB

MD5
7ed712c21a1da57aa34c94f6112532fb

SHA1
a094f67f0db0260bc2cd11be4e1d8769f0378720

SHA256
2eb2f5bee8cdedefe8abc594fc99ff1ff56f3b2cba32742efe7c97ccea5c7971

SHA512
4bcaefc164f3ced4e129ba20168e8cde0eeb56f31331a2bb7af6408ee048b4fe128e1d5eaad77533d1b1cc0f8b79eb2877f3f35a94baedd19267aaa260193579

Download Submit
memory/1492-11-0x00000000011D0000-0x00000000015D0000-memory.dmp

Filesize
4.0MB

Download
memory/4528-29-0x0000000001470000-0x0000000001870000-memory.dmp

Filesize
4.0MB

Download
memory/4984-31-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download