darkcloud | 0bde9a627fcf3cf089507cbf26b24268b067481c45b1df9443a7c660ef6e3906 | Triage

Sharing

General

Target

3880_315066811c9056b9b8405b7422af8b74d6804f39045ab251f8d01c4e7bb3fa90.zip
Size

60KB
Sample

250326-nan1bsstbv
MD5

cd941e880492899cbeb85a4a3811c0e4
SHA1

5920758815e2de57957234b54774e5eade8437a4
SHA256

0bde9a627fcf3cf089507cbf26b24268b067481c45b1df9443a7c660ef6e3906
SHA512

77b7ad805dff5ce721a24d227abc903095353a3ee9d424e6feef80018a1e3dbd0b3cda6f6be86784b847d814269f15a1deba57744549fa36eed2dc6dfa2f6c06
SSDEEP

1536:NfvaNN8kMyRf6GbzmheM69gbX17Hwvc9a+jNZFlruL5:NfvoN8kMkRHOYgbXBMMj+5

Score

10^/10

darkcloud discovery stealer

Malware Config

Extracted

Family

darkcloud

Credentials

Protocol: ftp
Host:
@StrFtpServer
Port:
21
Username:
@StrFtpUser
Password:
@StrFtpPass

Targets

- Target
  
  transferencias.exe
- Size
  
  137KB
- MD5
  
  0edead730d80f99bca2b4b960a174f7d
- SHA1
  
  f886a913f4a2cd4afa95fb7c03e8a557a89bcfe5
- SHA256
  
  a3a6e6782391ceca1b29065e7755ae159d588a6ecae1c1e189f8781476bbb2a9
- SHA512
  
  e068161644aabf6b42cce956ac3a36711f2651251019088750298718089cff8155f4dc7afcf39d8af1ecec7b9a5c9d1d2d1d30cd156652e0893e3e202681ffaa
- SSDEEP
  
  3072:d4S2vrjXvpdfSC943hfS7ee1QqNGYIW54U4+0LUGvkkzDnhaW:dgrjXvpdJ43hfS7p1QqI8Gv/Hh
Score

10^/10

darkcloud discovery stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkclouddiscoverystealer