darkcloud | be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

be959c5af4...0e.exe

windows7-x64

be959c5af4...0e.exe

windows10-2004-x64

Sharing

General

Target

be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e.exe
Size

1.2MB
Sample

250311-fdkhbasxcy
MD5

498c31b587f16c1263e92a03a8baeb93
SHA1

8c6edd8e32870a3276d2ed246d2311e05764b42d
SHA256

be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e
SHA512

f10fe82ba2a995c77737260c6b0407ae59b97d16fecebeaef5a22ae636197b33fcaf0dacabc925167b6f21a764ee19d34636ecb02194ab5a1e2780151b799f92
SSDEEP

24576:1o7MrTswryb85Fm6lmnr4eKiwMonfJk/WvDHal++UQcOVh9Z:kQ2bcs6cseJwMofqeakQJh9

Score

10^/10

darkcloud discovery execution stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e.exe

Resource

win7-20240903-en

darkcloud discovery execution stealer upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e.exe

Resource

win10v2004-20250217-en

darkcloud discovery execution stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot8052153515:AAEy1R0ssCqYRtfr5MLZ5lbcuC9K_RdIieY/sendMessage?chat_id=5022382431

Targets

- Target
  
  be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e.exe
- Size
  
  1.2MB
- MD5
  
  498c31b587f16c1263e92a03a8baeb93
- SHA1
  
  8c6edd8e32870a3276d2ed246d2311e05764b42d
- SHA256
  
  be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e
- SHA512
  
  f10fe82ba2a995c77737260c6b0407ae59b97d16fecebeaef5a22ae636197b33fcaf0dacabc925167b6f21a764ee19d34636ecb02194ab5a1e2780151b799f92
- SSDEEP
  
  24576:1o7MrTswryb85Fm6lmnr4eKiwMonfJk/WvDHal++UQcOVh9Z:kQ2bcs6cseJwMofqeakQJh9
Score

10^/10

darkcloud discovery execution stealer upx
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkclouddiscoveryexecutionstealerupx

behavioral2

darkclouddiscoveryexecutionstealer

© 2018-2025

Terms | Privacy