darkcloud | 8cedda1d0cde315b40f2230e25dba412fe66ba9ea29dbeea853b43ad523dab23 | Triage

Sharing

General

Target

8cedda1d0cde315b40f2230e25dba412fe66ba9ea29dbeea853b43ad523dab23.exe
Size

95KB
Sample

250326-vjshfa1mw2
MD5

90667a63ede6f2f251e13e201964ddc4
SHA1

2993b766d09f0c651082b67bb613a88835915672
SHA256

8cedda1d0cde315b40f2230e25dba412fe66ba9ea29dbeea853b43ad523dab23
SHA512

e43cea9d293fd816fcb8c0d36ddfd69b0d59f21cc77fa5dcb9030b8cd36d3326020b034442ee9470bf306f54a4b2d039ba25ecd88ab6e744b5aa1d4f22ba5c9c
SSDEEP

1536:kh4YodEvoQeabQkw+hmeOPcwrPOE6ZEblTMk2NfpRjq9fnB:PYh9KcqPh62blTMk29pRjq9fnB

Score

10^/10

darkcloud discovery stealer

Malware Config

Extracted

Family

darkcloud

Credentials

Protocol: ftp
Host:
@StrFtpServer
Port:
21
Username:
@StrFtpUser
Password:
@StrFtpPass

Targets

- Target
  
  8cedda1d0cde315b40f2230e25dba412fe66ba9ea29dbeea853b43ad523dab23.exe
- Size
  
  95KB
- MD5
  
  90667a63ede6f2f251e13e201964ddc4
- SHA1
  
  2993b766d09f0c651082b67bb613a88835915672
- SHA256
  
  8cedda1d0cde315b40f2230e25dba412fe66ba9ea29dbeea853b43ad523dab23
- SHA512
  
  e43cea9d293fd816fcb8c0d36ddfd69b0d59f21cc77fa5dcb9030b8cd36d3326020b034442ee9470bf306f54a4b2d039ba25ecd88ab6e744b5aa1d4f22ba5c9c
- SSDEEP
  
  1536:kh4YodEvoQeabQkw+hmeOPcwrPOE6ZEblTMk2NfpRjq9fnB:PYh9KcqPh62blTMk29pRjq9fnB
Score

10^/10

discovery darkcloud stealer
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkclouddiscoverystealer