Managed XDR

vade_clean_varist_posi...data_2nd_batch_200.eml (DarkCloud) — malware analysis report

File info

Filename: vade_clean_varist_positive_data_2nd_batch_200.eml
File type: ASCII text
File size: 1 MB
First seen: 2025-03-14 19:24
Last seen: 2025-03-14 19:24

Environment

win7/x86 en

Hashes

SHA1: e72c51040d5afcee2a5195dd68cec8e64e9fb755
SHA256: 78aa60aa4d2d774de578dae60d9bc0bc58c216563aa9e64e2488696db5590235
MD5: 94921ba486001279b8f35c9431e23774

Malwares

DarkCloud

Signatures

Execution

T1059 autoit: AutoIt script execution detected

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process

T1055 sets_debug_registers: Sets debug registers for a thread in a different process

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files

T1055 sets_debug_registers: Sets debug registers for a thread in a different process

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1027.002 packer_vb: The executable file is packed using VB

T1480 system_default_lang_id_present: Checks the system language

T1070 stealth_window: A process created a hidden window

Credential Access

T1503 infostealer_browser: Retrieves personal information from local Internet browsers

T1552 infostealer_browser: Retrieves personal information from local Internet browsers

T1552 infostealer_mail: Collects personal data from local email clients

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Collection

T1114 infostealer_mail: Collects personal data from local email clients

Other

yara_rules: Static rules

creates_exe: Creates executable files in the file system

suspicious_process: Spawns a suspicious process

unexpected_exception: Unexpected exception

no_graphical_activity: No graphic activity

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

Related reports

Managed XDR