darkcloud | c96d378c82dc680275d9ba8af3ef03ae35bd952e3c3d89ef87ec95870c0c4ede

General

Target

Petronas Quotation -246370086_pdf.exe
Size

1.2MB
MD5

30f39cfe49af11f14c6ee920fdcfd78c
SHA1

1b98ae340d429d8c5114229056244e9b80c9898f
SHA256

7f2ebd49700ea7001b02a13970c52892313e04f377b0383e6911241db5c3c24b
SHA512

f9f0494ae7e4a7f9591bd8d97d3f014968cd85a2e89ef20ea68bbd5a68681c61dde84ce2b7674a15cbafffc8bbfc838934b8bcd9d13c8babfae2dad4d38fe132
SSDEEP

24576:4P2+AZd5sn8hNNpC70nH2XgDB3Z2fLhhr8ga1ck8KIQDCfdj56khw9PpO9TfrzLw:i2+MUiXC4n/t3AfL/rxk8TQD089Pp4vw

Score

10^/10

darkcloud guloader discovery downloader spyware stealer

Malware Config

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2672	Petronas Quotation -246370086_pdf.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	drive.google.com
20	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vildttllinger.ini	Petronas Quotation -246370086_pdf.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3400	Petronas Quotation -246370086_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2672	Petronas Quotation -246370086_pdf.exe
3400	Petronas Quotation -246370086_pdf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\repunctuated\Gruppetilhrsforholdene.ini	Petronas Quotation -246370086_pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Nonprofession\omdefinerer.bin	Petronas Quotation -246370086_pdf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\trstespiserne\feodum.lnk	Petronas Quotation -246370086_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petronas Quotation -246370086_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petronas Quotation -246370086_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2052	taskkill.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2672	Petronas Quotation -246370086_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3400	Petronas Quotation -246370086_pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3400	Petronas Quotation -246370086_pdf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3400	2672	Petronas Quotation -246370086_pdf.exe	93
PID 2672 wrote to memory of 3400	2672	Petronas Quotation -246370086_pdf.exe	93
PID 2672 wrote to memory of 3400	2672	Petronas Quotation -246370086_pdf.exe	93
PID 2672 wrote to memory of 3400	2672	Petronas Quotation -246370086_pdf.exe	93
PID 3400 wrote to memory of 2052	3400	Petronas Quotation -246370086_pdf.exe	96
PID 3400 wrote to memory of 2052	3400	Petronas Quotation -246370086_pdf.exe	96
PID 3400 wrote to memory of 2052	3400	Petronas Quotation -246370086_pdf.exe	96

C:\Users\Admin\AppData\Local\Temp\Petronas Quotation -246370086_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Petronas Quotation -246370086_pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\Petronas Quotation -246370086_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Petronas Quotation -246370086_pdf.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg6FF1.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ELDOIJJI-Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ELDOIJJI-Admin.zip

Filesize
619B

MD5
9d22916b3580fe16028439183fcce4eb

SHA1
3c6482f3d15cf3dc72d854064a8621d04df58420

SHA256
fbd486014f7ad227d2722ef80546df2462e91f2c49aebce7503a36ef6548e61e

SHA512
40f34915907ad15f81d37074258e6d5492074a93ecc84ef85a6fabdabeb34623b3730b7f938d8e8ea0b130402508bda5a6105df16a9d3523327e1ce345dfe6ce

Download Submit
C:\Windows\SysWOW64\vildttllinger.ini

Filesize
36B

MD5
dbb3cc6cadd24636b4360ed61f0edbd2

SHA1
b8fbdfe19241066a41cf6c5444ad5a47e4c20490

SHA256
c8f7aaf341963727e04401a1122952d42414b91408b1a32f404647a72a1366e3

SHA512
2e1c1ba836f9ca9b69e33073e88efd0ea58e0071f718542fbeead50167df191398e0a67c06d93fbdbafa2a67bfb587edf252c1928dbbd8e06f9df8a178239596

Download Submit
memory/2672-351-0x0000000003210000-0x00000000056EB000-memory.dmp

Filesize
36.9MB

Download
memory/2672-352-0x0000000077181000-0x00000000772A1000-memory.dmp

Filesize
1.1MB

Download
memory/2672-353-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3400-355-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-421-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-369-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-386-0x0000000077181000-0x00000000772A1000-memory.dmp

Filesize
1.1MB

Download
memory/3400-365-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-354-0x0000000001660000-0x0000000003B3B000-memory.dmp

Filesize
36.9MB

Download
memory/3400-405-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-419-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-420-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-367-0x0000000001660000-0x0000000003B3B000-memory.dmp

Filesize
36.9MB

Download
memory/3400-422-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-423-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-424-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-425-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-426-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-427-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-428-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-429-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3400-430-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing