General

  • Target

    25038144486e49d6a54f3780484b2033.bin

  • Size

    776KB

  • Sample

    250501-bglgkacm6s

  • MD5

    86beb38a654b1742246c6d7607bc40e5

  • SHA1

    03cc5ea74efaf10f42400a23fc73a60272bdfd0f

  • SHA256

    57d5efce8ffca83db63dedc8e333e5f07a4613c276b0b1097febba9371d78336

  • SHA512

    983f837740f0e4eb7f12c2d77cfd2c9c99a89d239ffbdc1dbf550345f845b0d795e4d8f32d4870658bd66b2e4e1239f3087c10d74951650ab0c9adb31b86e1e9

  • SSDEEP

    24576:wck5xGBfp52OvdECDLqWayovqzNKv7909CT:xkjGBxNvdECHqWaydgvK9A

Malware Config

Targets

    • Target

      f49075854c53ae61920881846fac69180afd3276f6c5ffdc0f7740e2a712e762.exe

    • Size

      962KB

    • MD5

      25038144486e49d6a54f3780484b2033

    • SHA1

      5ac81bd87347f0baa3fd65daaab01b8bf894ce2a

    • SHA256

      f49075854c53ae61920881846fac69180afd3276f6c5ffdc0f7740e2a712e762

    • SHA512

      57a635da52b1dfed5d0358b548cde68bd90cf92363033963022900a823aaef4561c44ad72fac429e4247286700098d9f327206a2967a025f90e5444ab2b838a9

    • SSDEEP

      12288:vuXRY5dWqpG2mf+zQt3k1HiVqg6PBi659FbfxlrjBktZc0XsjQco0rv6Ktw+0dDq:vSoWmG2mW1HiqnFDrtCc08jQc/

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks