General

  • Target

    06052025_1642_PAYMENT CONFIRMATION SWIFT COPY_001174506_2025_pdf.txz

  • Size

    596KB

  • Sample

    250506-t74d6sgp7x

  • MD5

    086828ff33a50535bec194437c7563b2

  • SHA1

    e6327e9f2054693a782f17b5413f1b334132e23c

  • SHA256

    0bdfe3913dfc9d68494bd31cda2a82afacf58177019731c80317a111016aa1c0

  • SHA512

    398145e3938c334c493c9c9ff82d056cff8abf6f79157bace5915d03c41746bb192da86c5d1ce621563723b43388878a16841a142a5b381d5883f5e82fdcf067

  • SSDEEP

    12288:9ce6Ps8hLswqYQcnM2HLDH5UDf6t/maCw+5H4BiY9:9c3suLsiQWHo64ajuQ7

Malware Config

Targets

    • Target

      PAYMENT CONFIRMATION SWIFT COPY_001174506_2025_pdf.exe

    • Size

      675KB

    • MD5

      b92a69cfc75604cf52d2c91de5beeb41

    • SHA1

      97e61c826ba386bde3334292a06f3f02e593ebd6

    • SHA256

      36beff46ab3d106425cd35964595805f179b1fcd0400f8407bbdcbc3480b70c0

    • SHA512

      f9dced2ec5824c62fffdb91eb67055453ffba9fc7cb6f414c9cb0d28564570d361a96a25199d073d7048c679b2383c6089360061b2273e81cec97c8f0179d46b

    • SSDEEP

      12288:rEIzsB0Z2Pm7PLVbf28anA3i0bbYcvPeZALqygs+AglGE:m0kPIl83gcCeu5+Ag

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      98bdb37511634dad8d1236d91d373b26

    • SHA1

      778cf74b4f8860cc378fa4e61aeba318197783ce

    • SHA256

      938580b466533dfa1461e9858fd106b60e1a52b713380915cc03afd3e4b4573c

    • SHA512

      5a7a903c2346750f20c0b41ceb6259bc7a5c9c6779acfeef94e0cea756aebabef58fdd83389353a165530279ec74ff20b903fc9a11acf475ef9471bd5e8d140e

    • SSDEEP

      96:CjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkND3m+s:nbogRtJzTlNR8qD85uGgmkNK

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks