Managed XDR

vtdl_1781285160_x9a41g9b (DarkCloud) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: vtdl_1781285160_x9a41g9b
Тип файла: news or mail, ASCII text, with CRLF line terminators
Размер файла: 330.4 KB
Первое обнаружение: 2026-06-12 17:31
Последнее обнаружение: 2026-06-12 17:31

Окружение

w10/x64 en

Хеши

SHA1: 93dc3f75ba465b5016707fb6a0050b6f35208ac6
SHA256: d57760b9410b12c0f4039fb4a3bdd2f2d49a1b08b483ce4fac21c30b0aaaa562
MD5: 0b648c521fcedc6f043e39e6c17228e1

Вредоносное ПО

DarkCloud

Сигнатуры

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1027.002 packer_vb: The executable file is packed using VB

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1480 system_default_lang_id_present: Checks the system language

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 infostealer_mail: Collects personal data from local email clients

T1552 infostealer_ftp: Collects data from local FTP clients

T1552.001 infostealer_winscp: Collects information from configuration file of WinSCP

T1552 infostealer_browser: Retrieves personal information from local Internet browsers

T1503 infostealer_browser: Retrieves personal information from local Internet browsers

T1555.003 cookie_files: Accesses cookie files

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1057 has_wmi: Executes one or several WMI requests

T1082 has_wmi: Executes one or several WMI requests

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Collection

T1114 infostealer_mail: Collects personal data from local email clients

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules

network_bind: Starts servers listening at None

unexpected_exception: Unexpected exception

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call