General

  • Target

    https://cdn.discordapp.com/attachments/1368694766518407251/1368894368848543787/QTN_792923_New_Order_pdf.txz?ex=6819e1ba&is=6818903a&hm=e58d522a077216ff4dd866ba7ccc6a84a70dd5933dcaca58c6c8c0389924c4bb&

  • Sample

    250505-nbzs8awvev

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/1368694766518407251/1368894368848543787/QTN_792923_New_Order_pdf.txz?ex=6819e1ba&is=6818903a&hm=e58d522a077216ff4dd866ba7ccc6a84a70dd5933dcaca58c6c8c0389924c4bb&

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks