darkcloud | 0c1172de36ebda969914314e4c09bfd910d398cda2952a75413db36a7f18d3fb

Analysis

max time kernel
297s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRICE DOCUMENT.exe
Size

741KB
MD5

cbd2adf469c63fc4dc5c324b8185fc65
SHA1

8207dfb884f8eebc1dace7fb3fb61de0a824b45b
SHA256

69b5131e236cf15dc4ccb40c937ea0aa077d6b50c1bf05430a65f1999b5bb0e9
SHA512

5638b5ed3ecb7647a8c7bddaff10dcbef5d4aed9370c288f6e3d513e6f5b7d3057275f1ec820efcabf53cdf8b1c061743d6ee29e7f72785b06becf87cee9516f
SSDEEP

12288:jGYhNEFqmqt0xdOZC6m4/OUFL8u/0tTB/F9bomOvnEKELo2HT1lDAY6NhOdz:jGYXu80gZCTWFkNFZKvnVi5hA3Odz

Score

10^/10

darkcloud guloader discovery downloader spyware stealer

Malware Config

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
5636	PRICE DOCUMENT.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
29	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3528	PRICE DOCUMENT.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5636	PRICE DOCUMENT.exe
3528	PRICE DOCUMENT.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\rancorously.ini	PRICE DOCUMENT.exe
File opened for modification	C:\Windows\resources\0409\konfigureredes\peag.ini	PRICE DOCUMENT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRICE DOCUMENT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRICE DOCUMENT.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5636	PRICE DOCUMENT.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3528	PRICE DOCUMENT.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3528	PRICE DOCUMENT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5636 wrote to memory of 3528	5636	PRICE DOCUMENT.exe	90
PID 5636 wrote to memory of 3528	5636	PRICE DOCUMENT.exe	90
PID 5636 wrote to memory of 3528	5636	PRICE DOCUMENT.exe	90
PID 5636 wrote to memory of 3528	5636	PRICE DOCUMENT.exe	90

C:\Users\Admin\AppData\Local\Temp\PRICE DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PRICE DOCUMENT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Users\Admin\AppData\Local\Temp\PRICE DOCUMENT.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE DOCUMENT.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3528

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd74B5.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd74B5.tmp\archostenosis.lnk

Filesize
1KB

MD5
c4631f521f71fc0e854738b9fc4f1198

SHA1
8e1276c5a242e890d0febb12df5d7a3119427567

SHA256
da5b3fd7e5ea98bf5d03191aa661326aec6e0ebd22153da103b2cf2241231d28

SHA512
a2ffd6bb4b71c4f7a69edc85e78898465ded0cfeff3773bfe967470e38635c4e40e4ac46cd30025c0abd4d7e2b0a03dd0a689cac4a1340d5e910b0a66a11945f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OPSRBFUM-Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Windows\Resources\0409\rancorously.ini

Filesize
36B

MD5
9f26c215597c6d215332812cb96823de

SHA1
e38d33b223894281f48585d5ee4a3cfaa8a69b2f

SHA256
31ce0e20e2e3d6047008df8b1186381728ecbe32cbdb1d8528e966c6ff79a8be

SHA512
cf84962ab1e33b580ec7acbc848f944ca2da16a21743225d60dd759d4df09de93e05255e64de5edf1369aa7ad8647a3cc748ab7247b215939f3b46ca493eeb0a

Download Submit
memory/3528-413-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-416-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-362-0x0000000001660000-0x000000000300F000-memory.dmp

Filesize
25.7MB

Download
memory/3528-363-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-364-0x0000000001660000-0x000000000300F000-memory.dmp

Filesize
25.7MB

Download
memory/3528-365-0x00000000772D8000-0x00000000772D9000-memory.dmp

Filesize
4KB

Download
memory/3528-366-0x00000000772F5000-0x00000000772F6000-memory.dmp

Filesize
4KB

Download
memory/3528-373-0x0000000001660000-0x000000000300F000-memory.dmp

Filesize
25.7MB

Download
memory/3528-374-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-375-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-376-0x0000000001660000-0x000000000300F000-memory.dmp

Filesize
25.7MB

Download
memory/3528-379-0x0000000077251000-0x0000000077371000-memory.dmp

Filesize
1.1MB

Download
memory/3528-390-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-435-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-409-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-410-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-411-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-412-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-434-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-414-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-433-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-417-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-415-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-418-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-419-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-420-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-421-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-422-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-423-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-424-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-425-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-426-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-427-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-428-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-429-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-430-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-431-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3528-432-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/5636-361-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/5636-359-0x00000000031F0000-0x0000000004B9F000-memory.dmp

Filesize
25.7MB

Download
memory/5636-360-0x0000000077251000-0x0000000077371000-memory.dmp

Filesize
1.1MB

Download