BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DarkCloud

75
Global rank
45 infographic chevron month
Month rank
76 infographic chevron week
Week rank
218
IOCs

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
8 February, 2024
Last seen

How to analyze DarkCloud with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
8 February, 2024
Last seen

IOCs

Hashes
9d16f030796c701a2fc2481bf376df82914d34581547795b81154e3f249f1549
0802c13f11828457c8cd914c34d00517fc2ddccfb9060f34d90d01c01db4e47e
a71b0b0e0e49841af019b02c4d50194c0aa55b768fb0dcd3d7e0fdc461b02122
16a79ecc949598a257a379cafec6c7197eee0ae0af367c724cbf940b86250851
d363a0101122b51e0bf68805358b28d087a616ebf04d666c6182fc6549fc8a22
3e4c08f6c576544f406c83ea2361fadddc27361044b615e391fff3d9bf4e4ca2
2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
c947d0006e18dae974d4b08a5e289911ac8645e5d1f148545535c361a6035ca0
78b984255563f6e9fd26b210764ed39935bc6bb73258e417b2cd88f5b2c53399
3084601ebb4bf83f233667588d6390bdc04cd8c0e6fdaf51d3a81fbabdb4e0ad
37d9d25dc72449f4bbdf92bf70511684bd3819f8306f363eb1cfd6fd0e91e365
aa5c1f95c403a035f8eebcc9c23b7421633d41e0a254ad859173a3763bc7d433
c587f99ca9d68ca527dc2e28c72fc4ddbd5f2affc859d84d10bfd5c5c80aa842
9471ebf81af353bf00c68de327f04e3c68d90e69296a102873f5b570fc00ff6f
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
6081caf04b77da020291a97e99ee0f33b0901075ed1be7f783a43bd4d23d3977
33d310746c4c533488b24c9ee3ce26246d3c7637c10dbb31b0c0bd59d6f6e3c9
d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0
4efc90ae76d32655754a1885cadb870f90676ed1457d096bbe3c6f472a9102fa
URLs
https://api.telegram.org/bot6746383234:AAHJ0bggxpanHasWvjMSekrXd1f03jgHZUM/sendMessage
https://api.telegram.org/bot6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8/sendMessage
https://api.telegram.org/bot6062190835:AAFarBYBv-mQ3aLxNEnTAnblGK2thSsO8vQ/sendMessage
https://api.telegram.org/bot6363864044:AAEOHd3rwToTFkGX2VcAe8RqOT15foqZ6jY/sendMessage
https://api.telegram.org/bot5723230539:AAHXr6rmQsEsq1CdwKBxLF-mnANEsBE4mYk/sendMessage
https://api.telegram.org/bot6361371678:AAH7b9uIkhwP1TBt8t78VwxXD7LXjsOcbYk/sendMessage
https://api.telegram.org/bot6361371678:AAH7b9uIkhwP1TBt8t78VwxXD7LXjOcbYk/sendMessage
https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage
https://api.telegram.org/bot5881209387:AAEYbMO86ewxRCF0hqbguD3F2NjXIQs4EJU/sendMessage
https://api.telegram.org/bot5637864859:AAHatMmLjO3i5zaPb5Ppy5_wDiRtKwQUbSU/sendMessage
https://api.telegram.org/bot6028253602:AAFFbacUfiOxmvzuo36D6g83Flf23bpPXYA/sendMessage
https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage
https://api.telegram.org/bot6377977757:AAG-ibHXKoh6L404CY7qxnKiYoGRL9Y8Tiw/sendMessage
https://api.telegram.org/bot6169076497:AAF7nb28rkada8zJw_x9Td8BhpXF4n2feA/sendMessage
https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage
https://api.telegram.org/bot6361968859:AAE8jtQez0mj9cei6S5LDxJ6aEmWADhYLLc/sendMessage
https://api.telegram.org/bot6392998330:AAEoU34KkrBXWdYsC0HHJhwWS-tXdCQBgic/sendMessage
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage
https://api.telegram.org/bot5469538976:AAFdzaDz-Om7m7qU_DDiNd24O2rLbS-p0lY/sendMessage
https://api.telegram.org/bot6474909072:AAE35t_kjfFFVCPF7xcGUBipQxF6QCUotU/sendMessage
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 867
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 333
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 315
comments 0

What is DarkCloud malware?

DarkCloud is a stealer malware written in Visual Basic. The core functionality of the malicious software is collecting and exfiltrating sensitive information from infected machines. The type of data stolen by DarkCloud ranges from user credentials to credit card details in browsers.

The malware has been active since the end of 2022 and has been widely used in attacks in 2023. DarkCloud is sold by its creators on DarkNet forums who also provide customization options, including the additional clipper module, allowing the malware to monitor the content saved by victims to the clipboard.

The most common infection chain for DarkCloud is spam emails, targeting a variety of users. The malware is usually distributed in the form of a malicious attachment. Once downloaded and launched by the user, the malware gets installed on the device and begins its malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DarkCloud malicious software

DarkCloud can engage in the following operations on the infected system:

  • Steal information: It can pull data from different browsers and FTP clients, as well as the clipboard.
  • Capture screenshots: DarkCloud can take screenshots of the user’s activities.
  • Record keystrokes: The malware has the keylogging capability, letting it keep track of everything typed on the keyboard by the victim.
  • Exfiltrate files: It is capable of grabbing files of different formats, such as .txt, .rtf, and .pdf.
  • Communicate with the C2: DarkCloud supports several communication protocols, including SMTP and via Telegram, used for relaying stolen data to the attacker.

Additionally, similar to LaplasClipper, DarkCloud is equipped with a crypto swapper, enabling it to replace the user’s crypto wallet addresses with those of the attacker.

The malware can create a Task Scheduler entry in order to gain persistence on the system.

Execution process of DarkCloud

In order to examine the entire execution chain of DarkCloud in more detail, we can upload its sample to the ANY.RUN sandbox.

As stealers strive to conceal their activities, the DarkCloud stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample injects the system binary "AppLaunch" and subsequently executes it. After initiating, DarkCloud employs time-based evasion techniques in an attempt to conceal itself from sandboxes. However, it was detected, and the configuration was successfully extracted. It then starts a process executing all malicious activities, encompassing data theft and communication with the Command and Control (C&C) server.

DarkCloud process graph shown in ANY.RUN DarkCloud's process graph demonstrated in ANY.RUN

Distribution methods of the DarkCloud malware

Just like in the case of other stealer malware, such as Formbook and Lokibot, the most common way used by attackers to distribute DarkCloud is via emails. In most cases, criminals employ social engineering and craft their messages to look legitimate. This is why victims often receive fake invoice payment requests and similar emails with files attached to them. Users who fail to recognize a scam end up downloading the malicious attachment and running it on their system, thus triggering the infection process.

Conclusion

In order to avoid falling victim to DarkCloud, it is vital to follow strict security practices. One of them is analyzing suspicious files and links in a malware sandbox. ANY.RUN is a cloud-based service that lets you investigate any email attachment or URL sent to you by an unknown sender and determine whether it poses any risk.

ANY.RUN’s interactive approach to malware analysis enables you to engage with the files and the system just like on your own computer, performing all the necessary actions to execute malicious software fully. The service provides you with comprehensive threat reports that contain details about the attack, indicators of compromise (IOCs), and other relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy