Extracted

• • Target

    e-dekont – 02.04.2025.exe

  • Size

    976KB

  • MD5

    dc219b6f4c32a80c24f2e4e35f668bb4

  • SHA1

    25db317d7619f446312723f21fbfafba482734f3

  • SHA256

    8f08477a7d22a869fb074f6fd5a3d6fcb7a0f2c6edd1a98a15efa9d04b07acc6

  • SHA512

    c31b12bc2c5807ec8c6abf534cc610234e318aed5eab585f29384b5b400f99b002fe73ed8703d882f5ebe676db6330a3af6fe307dd6897a57838062b645a38ca

  • SSDEEP

    24576:BhFi0ERYgjc4gJ1mQbAGBGkkULtts9eCvJwC:Xw0vD1fA2GapSp/

  Score

  10^/10

  darkclouddiscoveryexecutionstealer

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud

  • Darkcloud family

    darkcloud

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1

• • Target

    Spastisk.Mon

  • Size

    54KB

  • MD5

    0dd6bde75f23f98b72d3aa40fa3b61e8

  • SHA1

    c148b04d809c5d9e39b13f50356d7d41abe81f20

  • SHA256

    02e687ed7dc28b91cc89eb4189edf3554d953ea674950a6a62a80fac38c6ffe9

  • SHA512

    a7da969581dc282dbfcaaa45b70ebadfe53b1a458bf07458f9a509fe25866e6b84af7cdde3b8e67a89b9159774559c11bd9735c6f57af176466ead337f149809

  • SSDEEP

    768:YAbS43HRDKDBF4kkcPqv47XwBCt6tX5SlMFw3dwzaUu9KinB9l9q196A+JK/CJdD:YAbS43sfkgds4BMS3Kq9KCB9lon654A

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral2