Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-es -
resource tags
-
submitted
26/03/2025, 11:11
General
-
Target
transferencias.exe
-
Size
137KB
-
MD5
0edead730d80f99bca2b4b960a174f7d
-
SHA1
f886a913f4a2cd4afa95fb7c03e8a557a89bcfe5
-
SHA256
a3a6e6782391ceca1b29065e7755ae159d588a6ecae1c1e189f8781476bbb2a9
-
SHA512
e068161644aabf6b42cce956ac3a36711f2651251019088750298718089cff8155f4dc7afcf39d8af1ecec7b9a5c9d1d2d1d30cd156652e0893e3e202681ffaa
-
SSDEEP
3072:d4S2vrjXvpdfSC943hfS7ee1QqNGYIW54U4+0LUGvkkzDnhaW:dgrjXvpdJ43hfS7p1QqI8Gv/Hh
Malware Config
Extracted
darkcloud
Protocol: ftp- Host:
@StrFtpServer - Port:
21 - Username:
@StrFtpUser - Password:
@StrFtpPass
Signatures
-
DarkCloud
An information stealer written in Visual Basic.
-
Darkcloud family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 42 IoCs
-
Suspicious use of SendNotifyMessage 42 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\transferencias.exe"C:\Users\Admin\AppData\Local\Temp\transferencias.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD56ed09806ad7eeee48357ded7215afbfe
SHA1520677c6703aae29853481a1692443e100d1c1cd
SHA256d06134b969a482c9ff9b8cfe05f349e62c43a9c1f0b75377d48523b256c4d7b5
SHA51275818330a907876840789a4cd9e8a677f8e33b9310a6988ecf8ed5de8684968f1140d0a8ffb87d274081d9c7438a322766d7f488ec5b8a8ce869cb40c23d3053
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
7.7MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
576KB
-
Filesize
560KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
336KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB