File name:

NuevopedidoURGENTERFQ34543-23.exe

Full analysis: https://app.any.run/tasks/36511d5f-5dc7-4b98-9ced-4c1bf757ef61
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: November 06, 2024, 06:52:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
darkcloud
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

579BBF4985D31F623694D62EEED1805B

SHA1:

DF491098F49F3766CFD5B0A2B92A3E580882E1DA

SHA256:

33427842489EA9B9D78C13F99D0E1F02D79FC5C1304824374F109A11A475C82C

SSDEEP:

6144:B7LZAQrEtcxdsNNXF4zPnfR73OxU2YU/:B7L6QCcxds7F4rfR73OxUF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCLOUD has been detected (YARA)

      • InstallUtil.exe (PID: 4260)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

  • INFO

    • Checks supported languages

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

    • Disables trace logs

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

    • UPX packer has been detected

      • InstallUtil.exe (PID: 4260)

    • Checks proxy server information

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

    • Reads the machine GUID from the registry

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

    • Manual execution by a user

      • InstallUtil.exe (PID: 4260)

    • Reads the computer name

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)

    • Reads the software policy settings

      • NuevopedidoURGENTERFQ34543-23.exe (PID: 5932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DarkCloud

(PID) Process(4260) InstallUtil.exe
C2https://api.telegram.org/bot7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E/sendMessage?chat_id=7546472414
Strings (126)Cookies
Message
Contacts
credentials
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
STP User Name
Application : NordVPN
Software\FTPWare\COREFTP\Sites
Software\Martin Prikryl\WinSCP 2\Sessions
.txt
Application : Pidgin
Host
Port
ak@[
Pass
Application : FileZilla
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@(a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
VBScrpt.RegExp
winmgmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Microsoft
Password
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzimorhk
Discover Card
*;$
rK\
^3[47][0-9]{13}$
Amex Card
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
^(?:2131|1800|35\\d{3})\\d{11}$
JCB Card
KoreanLocalCard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
Solo Card
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Maestro Card
5[1-5][0-9]{14}$
Mastercard
Switch Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
\logins.json
\signons.sqlite
Foxmail.exe
Storage\
mail\
Data\
\Accounts\Account.rec0
\AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgoingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
hostname
Veu'
\Local State
LOCALAPPDATA
AppData
CUSTOM
binbase64
LCit
7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E
7546472414
Wy5
Select * from Win32_ComputerSystem
http://showip.net
http://www.mediacollege.com/internet/utilities/show-ip.shtml
Password :
Protocol :
Application :
6(?:011|5[0-9]{2})[0-9]{12}$
^63[7-9][0-9]{13}$
Insta Payment Card
^9[0-9]{15}$
Express Card
WScript.Shell
\Account.stg
y37
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:05 17:27:56+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 420864
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x68a4e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Mtlyuap
FileVersion: 1.0.0.0
InternalName: Mtlyuap.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Mtlyuap.exe
ProductName: Mtlyuap
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nuevopedidourgenterfq34543-23.exe THREAT installutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4260"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
DarkCloud
(PID) Process(4260) InstallUtil.exe
C2https://api.telegram.org/bot7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E/sendMessage?chat_id=7546472414
Strings (126)Cookies
Message
Contacts
credentials
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
STP User Name
Application : NordVPN
Software\FTPWare\COREFTP\Sites
Software\Martin Prikryl\WinSCP 2\Sessions
.txt
Application : Pidgin
Host
Port
ak@[
Pass
Application : FileZilla
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@(a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
VBScrpt.RegExp
winmgmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Microsoft
Password
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzimorhk
Discover Card
*;$
rK\
^3[47][0-9]{13}$
Amex Card
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
^(?:2131|1800|35\\d{3})\\d{11}$
JCB Card
KoreanLocalCard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
Solo Card
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Maestro Card
5[1-5][0-9]{14}$
Mastercard
Switch Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
\logins.json
\signons.sqlite
Foxmail.exe
Storage\
mail\
Data\
\Accounts\Account.rec0
\AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgoingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
hostname
Veu'
\Local State
LOCALAPPDATA
AppData
CUSTOM
binbase64
LCit
7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E
7546472414
Wy5
Select * from Win32_ComputerSystem
http://showip.net
http://www.mediacollege.com/internet/utilities/show-ip.shtml
Password :
Protocol :
Application :
6(?:011|5[0-9]{2})[0-9]{12}$
^63[7-9][0-9]{13}$
Insta Payment Card
^9[0-9]{15}$
Express Card
WScript.Shell
\Account.stg
y37
5932"C:\Users\admin\Desktop\NuevopedidoURGENTERFQ34543-23.exe" C:\Users\admin\Desktop\NuevopedidoURGENTERFQ34543-23.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Mtlyuap
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\nuevopedidourgenterfq34543-23.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
3 763
Read events
3 749
Write events
14
Delete events
0

Modification events

(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5932) NuevopedidoURGENTERFQ34543-23.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NuevopedidoURGENTERFQ34543-23_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5932NuevopedidoURGENTERFQ34543-23.exeC:\Users\admin\AppData\Roaming\Remaining.exeexecutable
MD5:579BBF4985D31F623694D62EEED1805B
SHA256:33427842489EA9B9D78C13F99D0E1F02D79FC5C1304824374F109A11A475C82C
5932NuevopedidoURGENTERFQ34543-23.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remaining.vbstext
MD5:32CCF895720D1C725D48F48856F764FC
SHA256:A043AC0FB99028645E2F0E56945B3A81E3544135EAB56E156C777AFBBCC72B6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
28
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
190.107.177.80:443
https://nexoproducciones.cl/Msaqzpvx.wav
CL
binary
1.09 Mb
unknown
6944
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.21:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5932
NuevopedidoURGENTERFQ34543-23.exe
190.107.177.80:443
nexoproducciones.cl
SOC. COMERCIAL WIRENET CHILE LTDA.
CL
unknown
6944
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 92.123.104.21
  • 92.123.104.33
  • 92.123.104.29
  • 92.123.104.31
  • 92.123.104.27
  • 92.123.104.26
  • 92.123.104.32
  • 92.123.104.30
  • 92.123.104.20
whitelisted
google.com
  • 172.217.23.110
whitelisted
nexoproducciones.cl
  • 190.107.177.80
unknown
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NuevopedidoURGENTERFQ34543-23.exe