BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DarkCloud

83
Global rank
78 infographic chevron month
Month rank
86 infographic chevron week
Week rank
3195
IOCs

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
4 June, 2024
Last seen

How to analyze DarkCloud with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
4 June, 2024
Last seen

IOCs

IP addresses
103.14.121.180
184.170.144.21
167.99.35.88
198.38.82.23
181.214.142.230
Hashes
f3ebad7ef91810023cfafc2074096387baf8812681fee4401ff9cdb074ee6837
d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
a71b0b0e0e49841af019b02c4d50194c0aa55b768fb0dcd3d7e0fdc461b02122
16329a763d15e6e2a873bf3c0ca87f5cbce617912ba840b2a375a65225f43b50
16a79ecc949598a257a379cafec6c7197eee0ae0af367c724cbf940b86250851
eb7912466cade7c02452765fc8a45ff0a140faca5a65f16b7533abe241f9eec3
3c4b57db96914647ca82a603645b1396d754382ab283a7f84094589c9a5b9635
c1d35eda4963c164ce5f73d1f22293e5452615f5219141702923d0001e2d5a66
20291700061c32fb061dcf7e3e7f87db13666b63d2a51e26b1debb403fb3e840
2f26dac5e15dffd33c32b804e298148572627165cbf983a727a7ff0ad20ba571
3084601ebb4bf83f233667588d6390bdc04cd8c0e6fdaf51d3a81fbabdb4e0ad
95262d50dafe53089c62512ec422fb473e315e7a8cbf3b2441aaa78ed45fb46c
41fba72245a47fc97ba08382fb31a6cb58d8fe33a5098948dc45fde442732790
c587f99ca9d68ca527dc2e28c72fc4ddbd5f2affc859d84d10bfd5c5c80aa842
0b7362f05fccfc83b6dc915e876ae678d98ec90297ead4f53106186c2ea60de0
33d310746c4c533488b24c9ee3ce26246d3c7637c10dbb31b0c0bd59d6f6e3c9
ec94fe18197f8fccb0e786717ba7fbafcb1f7376e6350e19c2cd7072e62dd204
eff81b3a8f5f065a55fa41bd19c23b34c740c25aace351a92ad4a96d03083f04
8b1c413baffa778290948a71a8c2113e0bb0ac9e178e52bcffcd9e778d3110e9
c96d918fa251f8c7aa3a3ce7dcecc7ee9f2841254a32815812cefc6fe83e101f
Domains
ns3.colofreed.pl
ns1.rigreo.at
ns2.fircitris.at
ns2.loklordg.at
ns3.regioklous.at
ns1.flyopenvz.ru
ns4.esriolter.at
ns4.neongit.at
ns4.koncaved.ru
turkeyhotelnoslafas.su
itemsuofitquestumequequi.com
jgworldupd.com
petroilimos.su
alefistacorm.ru
arloeiffg.com
rastobona.com
red-stoneses.com
finley.su
lochjol.com
searscanada.su
URLs
https://api.telegram.org/bot7151528784:AAFbcms5s5mObSYwvv7y4FgZaar6LzjX7NE/sendMessage
https://api.telegram.org/bot6062190835:AAFarBYBv-mQ3aLxNEnTAnblGK2thSsO8vQ/sendMessage
https://api.telegram.org/bot6800672014:AAFjIhthNxpYeDLxh4u9CJvqMfisOhMGH6M/sendMessage
https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage
https://api.telegram.org/bot7148308455:AAGrdlRzhjt8mx31-dFYXt4kvhbFnphSlSg/sendMessage
https://api.telegram.org/bot7070490418:AAFJ-COsGzz3b8scJZVCXnt58-J1srUH5DQ/sendMessage
https://api.telegram.org/bot6771461481:AAH7vQEIoBDQr43Dx_zORT5cGMl9_tDt0L8/sendMessage
https://api.telegram.org/bot6361371678:AAH7b9uIkhwP1TBt8t78VwxXD7LXjsOcbYk /sendMessage
https://api.telegram.org/bot6746383234:AAHJ0bggxpanHasWvjMSekrXd1f03jgHZUM/sendMessage
https://api.telegram.org/bot6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8/sendMessage
https://api.telegram.org/bot6363864044:AAEOHd3rwToTFkGX2VcAe8RqOT15foqZ6jY/sendMessage
https://api.telegram.org/bot5723230539:AAHXr6rmQsEsq1CdwKBxLF-mnANEsBE4mYk/sendMessage
https://api.telegram.org/bot6361371678:AAH7b9uIkhwP1TBt8t78VwxXD7LXjsOcbYk/sendMessage
https://api.telegram.org/bot6361371678:AAH7b9uIkhwP1TBt8t78VwxXD7LXjOcbYk/sendMessage
https://api.telegram.org/bot5881209387:AAEYbMO86ewxRCF0hqbguD3F2NjXIQs4EJU/sendMessage
https://api.telegram.org/bot5637864859:AAHatMmLjO3i5zaPb5Ppy5_wDiRtKwQUbSU/sendMessage
https://api.telegram.org/bot6028253602:AAFFbacUfiOxmvzuo36D6g83Flf23bpPXYA/sendMessage
https://api.telegram.org/bot6342175884:AAGNYnOE8HN_cXImf1tA6GQfayeeb18yP84/sendMessage
https://api.telegram.org/bot6377977757:AAG-ibHXKoh6L404CY7qxnKiYoGRL9Y8Tiw/sendMessage
https://api.telegram.org/bot6169076497:AAF7nb28rkada8zJw_x9Td8BhpXF4n2feA/sendMessage
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is DarkCloud malware?

DarkCloud is a stealer malware written in Visual Basic. The core functionality of the malicious software is collecting and exfiltrating sensitive information from infected machines. The type of data stolen by DarkCloud ranges from user credentials to credit card details in browsers.

The malware has been active since the end of 2022 and has been widely used in attacks in 2023. DarkCloud is sold by its creators on DarkNet forums who also provide customization options, including the additional clipper module, allowing the malware to monitor the content saved by victims to the clipboard.

The most common infection chain for DarkCloud is spam emails, targeting a variety of users. The malware is usually distributed in the form of a malicious attachment. Once downloaded and launched by the user, the malware gets installed on the device and begins its malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DarkCloud malicious software

DarkCloud can engage in the following operations on the infected system:

  • Steal information: It can pull data from different browsers and FTP clients, as well as the clipboard.
  • Capture screenshots: DarkCloud can take screenshots of the user’s activities.
  • Record keystrokes: The malware has the keylogging capability, letting it keep track of everything typed on the keyboard by the victim.
  • Exfiltrate files: It is capable of grabbing files of different formats, such as .txt, .rtf, and .pdf.
  • Communicate with the C2: DarkCloud supports several communication protocols, including SMTP and via Telegram, used for relaying stolen data to the attacker.

Additionally, similar to LaplasClipper, DarkCloud is equipped with a crypto swapper, enabling it to replace the user’s crypto wallet addresses with those of the attacker.

The malware can create a Task Scheduler entry in order to gain persistence on the system.

Execution process of DarkCloud

In order to examine the entire execution chain of DarkCloud in more detail, we can upload its sample to the ANY.RUN sandbox.

As stealers strive to conceal their activities, the DarkCloud stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample injects the system binary "AppLaunch" and subsequently executes it. After initiating, DarkCloud employs time-based evasion techniques in an attempt to conceal itself from sandboxes. However, it was detected, and the configuration was successfully extracted. It then starts a process executing all malicious activities, encompassing data theft and communication with the Command and Control (C&C) server.

DarkCloud process graph shown in ANY.RUN DarkCloud's process graph demonstrated in ANY.RUN

Distribution methods of the DarkCloud malware

Just like in the case of other stealer malware, such as Formbook and Lokibot, the most common way used by attackers to distribute DarkCloud is via emails. In most cases, criminals employ social engineering and craft their messages to look legitimate. This is why victims often receive fake invoice payment requests and similar emails with files attached to them. Users who fail to recognize a scam end up downloading the malicious attachment and running it on their system, thus triggering the infection process.

Conclusion

In order to avoid falling victim to DarkCloud, it is vital to follow strict security practices. One of them is analyzing suspicious files and links in a malware sandbox. ANY.RUN is a cloud-based service that lets you investigate any email attachment or URL sent to you by an unknown sender and determine whether it poses any risk.

ANY.RUN’s interactive approach to malware analysis enables you to engage with the files and the system just like on your own computer, performing all the necessary actions to execute malicious software fully. The service provides you with comprehensive threat reports that contain details about the attack, indicators of compromise (IOCs), and other relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy