General
-
Target
1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb.exe
-
Size
797KB
-
Sample
250311-cprh8axxft
-
MD5
0114ecfd983f457204164e0f72adbf78
-
SHA1
26fd0dc11aceeb4e0e8b59bb357fb3c9c33d417a
-
SHA256
1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb
-
SHA512
48d250d3b802dcf248e5133b338a800e8b877a1763dac9f0dd75f655ed5f50232c046dc4ce9bb4982fae50c3022c0f9593e1d0c6a62c15ae18b29d34f3895260
-
SSDEEP
12288:xrgGXFJPY52q7Lv/V4eWSskHV8RLb2mnSAi/zB6CCOtpQCfd8fmM:xDg2q7ZBgdRLb240/zfQI2
Static task
static1
Behavioral task
behavioral1
Sample
1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb.exe
Resource
win7-20240729-en
Malware Config
Extracted
darkcloud
Protocol: ftp- Host:
ftp.dorasanat.com.tr - Port:
21 - Username:
[email protected] - Password:
2ynT]th~+-pD
Targets
-
-
Target
1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb.exe
-
Size
797KB
-
MD5
0114ecfd983f457204164e0f72adbf78
-
SHA1
26fd0dc11aceeb4e0e8b59bb357fb3c9c33d417a
-
SHA256
1328f2b5957c60a53f0c0d00786c536e3f182c44aa47dcd4b8850037d9a6beeb
-
SHA512
48d250d3b802dcf248e5133b338a800e8b877a1763dac9f0dd75f655ed5f50232c046dc4ce9bb4982fae50c3022c0f9593e1d0c6a62c15ae18b29d34f3895260
-
SSDEEP
12288:xrgGXFJPY52q7Lv/V4eWSskHV8RLb2mnSAi/zB6CCOtpQCfd8fmM:xDg2q7ZBgdRLb240/zfQI2
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-