Extracted

• • Target

    comprobante de pago.exe

  • Size

    819KB

  • MD5

    969da5cc61a21e2d5fd00a52254ecd8e

  • SHA1

    3f3cb9fdf47343f8e4d88e5171ad3b57ed6c4bad

  • SHA256

    20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18

  • SHA512

    6df74d8e45b5db927d8962e453f379b18ba79dce91a8e0677b55a36c1a57f38c43f677091d280d1abcbcad2b214299aeb02f2784047411e2d62a6e0912556e60

  • SSDEEP

    12288:1gP0I82X5K+GDnvy1eSLR0lUEkyZtyj6ittqTH3oEuprboHlExvyBBApy2HIxod3:EFJsDnylcpZk64oYEGc+yTARioCLC

  Score

  10^/10

  discoveryexecutiondarkcloudstealer

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud

  • Darkcloud family

    darkcloud

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Skyldsflelsers.Pos

  • Size

    51KB

  • MD5

    550953a2f63ed2b48ebf6f76343105dc

  • SHA1

    f9425cafc739b32c655b05afdf9a5930337f2a54

  • SHA256

    f4c99919eaf75b521f3e08ec3e4378cc546a07de51735e48d7cf9110a4afec3c

  • SHA512

    956bb1f66503873a3b721875123c485ca47e7f9f9ce14ce451a2a4b0f1c705b40774ac1569bdb41e83758e880586e1f7740598b3112744e0b68720ae4e0deab3

  • SSDEEP

    768:iPi38zuk1tqO6kIRVOfsWD1psa71w+Mig6SR2hCWmm4oOr7G0ugpS12n:MAOlrJAOUCfj1w/ig6SR2uqOrbb

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4