General

  • Target

    e6c31711fb2d4789a2269e5a2ddb205ae4fe554fcbe144041b08b9a91ef2abf1.zip

  • Size

    679KB

  • Sample

    250430-pxln6aal9t

  • MD5

    e9dec72d6a8342993e5e64a64d55e2ea

  • SHA1

    85421e3e35a2d3c1dfcc1ec92ba967d7aba6eb64

  • SHA256

    0a4d89731ed8d9bb255e5c8eec7daa1938f6118f3de7eb38401d1d3837953982

  • SHA512

    98c8d08ba3c18ddeab930ea55d71a0f94bcdd60d265512173bb37855b639e089c5f4b44dbb9516eee8185aba32fbf4999221de5b3f19a637ac2e74144e935d08

  • SSDEEP

    12288:IYn4c/iQwsCtMowmuLGdS8wPPChz+Zek+KJH1/4Zg8zxWMTbbanxQtZKA:hTz9LGdDwyVlk+wVQu8dW0bbaxKKA

Malware Config

Targets

    • Target

      e6c31711fb2d4789a2269e5a2ddb205ae4fe554fcbe144041b08b9a91ef2abf1.exe

    • Size

      791KB

    • MD5

      36b3e837cead7b1538ea5e41485a06ac

    • SHA1

      c76596c085051231244be3af1fc60008c3996699

    • SHA256

      e6c31711fb2d4789a2269e5a2ddb205ae4fe554fcbe144041b08b9a91ef2abf1

    • SHA512

      88c9e31917a1d986c035e816087f5a00da9969b066801ddd063904324722433f170d9284225fd3b1fd1f2a48a8ed04e7ff9de9202309a70c0d120c52b45a513b

    • SSDEEP

      12288:oTEljAjpQDhvzNcXrt3VlhL96E6hzHFIc9CynX24sm57tbPOhTxSLvJSmmV:oTE6jpywlTL9p6hzF9nnF58SLRSmK

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks