Overview

overview

10

Static

static

3

PFI 30% Sw...25.exe

windows10-2004-x64

10

PFI 30% Sw...25.exe

windows11-21h2-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PFI 30% Swift Copy 4-15-2025.exe

  • Size

    762KB

  • Sample

    250416-n876vsvps3

  • MD5

    1eec08f300b90b6e11ed91789fa9f152

  • SHA1

    759f4d40f1eca57e5c53316bab8d30e2a6233757

  • SHA256

    b67b8cd40460c4eaf0d05f0d097dcbce25444110aaa1e4af37440d206ad64b44

  • SHA512

    e38bd2a8612af4539ecf8f386ec66d7ec3bd011f061cad8b3ed928b73ee67fe9ec65f119e2ca96ad95e23fbac00a4027aa04107656fc6f95fd97332a064b91e7

  • SSDEEP

    12288:eG2LrZKuokM3I/2VycHnxuC/yB9sj1f90BT8LfZviKc6g6cFpyIPiHUXVBR0:eG2BKuFV/IyenxuC/yB92n0BT8LhvJ0Q

Score
10/10
darkcloudguloaderdiscoverydownloaderspywarestealer

Malware Config

Targets

    • Target

      PFI 30% Swift Copy 4-15-2025.exe

    • Size

      762KB

    • MD5

      1eec08f300b90b6e11ed91789fa9f152

    • SHA1

      759f4d40f1eca57e5c53316bab8d30e2a6233757

    • SHA256

      b67b8cd40460c4eaf0d05f0d097dcbce25444110aaa1e4af37440d206ad64b44

    • SHA512

      e38bd2a8612af4539ecf8f386ec66d7ec3bd011f061cad8b3ed928b73ee67fe9ec65f119e2ca96ad95e23fbac00a4027aa04107656fc6f95fd97332a064b91e7

    • SSDEEP

      12288:eG2LrZKuokM3I/2VycHnxuC/yB9sj1f90BT8LfZviKc6g6cFpyIPiHUXVBR0:eG2BKuFV/IyenxuC/yB92n0BT8LhvJ0Q

    Score
    10/10
    darkcloudguloaderdiscoverydownloaderspywarestealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      6f5257c0b8c0ef4d440f4f4fce85fb1b

    • SHA1

      b6ac111dfb0d1fc75ad09c56bde7830232395785

    • SHA256

      b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

    • SHA512

      a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

    • SSDEEP

      96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v16

Tasks