Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkCloud

106
Global rank
67
Month rank
53 infographic chevron week
Week rank
0
IOCs

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
20 January, 2025
Last seen

How to analyze DarkCloud with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
20 January, 2025
Last seen

IOCs

IP addresses
103.14.121.180
184.170.144.21
167.99.35.88
198.38.82.23
181.214.142.230
Domains
buberty.ru
ns3.ganr.pl
ukrini.ru
spotsapples2.com
qgkgkqwymkaakias.org
objectvoid.com
ns1.free-dns-service.biz
dns2.fortservices.ru
gmdsystems.com
ns3.yurosilo.ru
ns4.froikt.ru
prophosthdor.su
truefish.ru
ns1.spexcxc.ru
ns3.icaldns.in
gameforesterlo.com
llar-united.su
ns1.svl.kz
smokejuse.su
inxsite.com
URLs
http://showip.net/
https://api.telegram.org/bot8181099166:AAHWiTz10g_-_BPRNk3yroxe3fl_IXTpU7s/sendMessage
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage
https://api.telegram.org/bot5168654140:AAE_I-CRa2apQXXWxhBTEaeIEr1Ln5pw69s/sendMessage
https://api.telegram.org/bot8171626722:AAGIo9PvRpFrmWwamfv0SMURLy1PCYFG9a8/sendMessage
https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendMessage
https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage
https://api.telegram.org/bot7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E/sendMessage
https://api.telegram.org/bot7445405280:AAEJ_GT4WPzyc4zhBSNoaA4ZnBnixbthzkw/sendMessage
https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendMessage
https://api.telegram.org/bot6686872771:AAGUwkUh0LMB8XwZ6Sv6jR4DHAsdZafImc0/sendMessage
https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage
https://api.telegram.org/bot7583426817:AAE6Rp0SEWFrRdtVPoi6UBYXkQm2kRC4tzU/sendMessage
https://api.telegram.org/bot8069816150:AAGUqkcMn6u9wnhjGwn59_cFD18VE7JaJgI/sendMessage
https://api.telegram.org/bot7931237700:AAFORR1Anw56W1hHiiNueaGqnQE3qJUmrxQ/sendMessage
https://api.telegram.org/bot5723230539:AAHXr6rmQsEsq1CdwKBxLF-mnANEsBE4mYk/sendMessage
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage
https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage
https://api.telegram.org/bot7151528784:AAFbcms5s5mObSYwvv7y4FgZaar6LzjX7NE/sendMessage
https://api.telegram.org/bot6062190835:AAFarBYBv-mQ3aLxNEnTAnblGK2thSsO8vQ/sendMessage
Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is DarkCloud malware?

DarkCloud is a stealer malware written in Visual Basic. The core functionality of the malicious software is collecting and exfiltrating sensitive information from infected machines. The type of data stolen by DarkCloud ranges from user credentials to credit card details in browsers.

The malware has been active since the end of 2022 and has been widely used in attacks in 2023. DarkCloud is sold by its creators on DarkNet forums who also provide customization options, including the additional clipper module, allowing the malware to monitor the content saved by victims to the clipboard.

The most common infection chain for DarkCloud is spam emails, targeting a variety of users. The malware is usually distributed in the form of a malicious attachment. Once downloaded and launched by the user, the malware gets installed on the device and begins its malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DarkCloud malicious software

DarkCloud can engage in the following operations on the infected system:

  • Steal information: It can pull data from different browsers and FTP clients, as well as the clipboard.
  • Capture screenshots: DarkCloud can take screenshots of the user’s activities.
  • Record keystrokes: The malware has the keylogging capability, letting it keep track of everything typed on the keyboard by the victim.
  • Exfiltrate files: It is capable of grabbing files of different formats, such as .txt, .rtf, and .pdf.
  • Communicate with the C2: DarkCloud supports several communication protocols, including SMTP and via Telegram, used for relaying stolen data to the attacker.

Additionally, similar to LaplasClipper, DarkCloud is equipped with a crypto swapper, enabling it to replace the user’s crypto wallet addresses with those of the attacker.

The malware can create a Task Scheduler entry in order to gain persistence on the system.

Execution process of DarkCloud

In order to examine the entire execution chain of DarkCloud in more detail, we can upload its sample to the ANY.RUN sandbox.

As stealers strive to conceal their activities, the DarkCloud stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample injects the system binary "AppLaunch" and subsequently executes it. After initiating, DarkCloud employs time-based evasion techniques in an attempt to conceal itself from sandboxes. However, it was detected, and the configuration was successfully extracted. It then starts a process executing all malicious activities, encompassing data theft and communication with the Command and Control (C&C) server.

DarkCloud process graph shown in ANY.RUN DarkCloud's process graph demonstrated in ANY.RUN

Distribution methods of the DarkCloud malware

Just like in the case of other stealer malware, such as Formbook and Lokibot, the most common way used by attackers to distribute DarkCloud is via emails. In most cases, criminals employ social engineering and craft their messages to look legitimate. This is why victims often receive fake invoice payment requests and similar emails with files attached to them. Users who fail to recognize a scam end up downloading the malicious attachment and running it on their system, thus triggering the infection process.

Conclusion

In order to avoid falling victim to DarkCloud, it is vital to follow strict security practices. One of them is analyzing suspicious files and links in a malware sandbox. ANY.RUN is a cloud-based service that lets you investigate any email attachment or URL sent to you by an unknown sender and determine whether it poses any risk.

ANY.RUN’s interactive approach to malware analysis enables you to engage with the files and the system just like on your own computer, performing all the necessary actions to execute malicious software fully. The service provides you with comprehensive threat reports that contain details about the attack, indicators of compromise (IOCs), and other relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More