File name:

Mod 347.exe

Full analysis: https://app.any.run/tasks/c4e8d2de-3513-4a52-83a7-6baffffb2b36
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 10, 2025, 09:57:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
darkcloud
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 5 sections
MD5:

A687FB499C7CB60B63C7DB7754845368

SHA1:

DCFBE8FE567F138FC5F68A5F353812069301AB6A

SHA256:

93637CD99AF51D3B69EC6F77A5D49A5C470093D3CF4C3D45FA6EDBFF8252372A

SSDEEP:

12288:LajuNx5IknBNVcv5Paep+IXIj4ofav9u3aMNyPCyyhrYSxe:Gjwx5IkBNVcv5PRp+IXIj4ofav9uqMNg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCLOUD has been detected (YARA)

      • CasPol.exe (PID: 6196)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • Mod 347.exe (PID: 5200)

    • UPX packer has been detected

      • CasPol.exe (PID: 6196)

    • Reads the machine GUID from the registry

      • Mod 347.exe (PID: 5200)

    • Checks supported languages

      • Mod 347.exe (PID: 5200)
      • CasPol.exe (PID: 6196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DarkCloud

(PID) Process(6196) CasPol.exe
C2https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755
Strings (123)Cookies
Messages
Contacts
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
Password :
Software\FTPWare\COEFTP\Sites
Application : Pidgin
Software\Martin Prikryl\WinSCP 2\Sessions
.txt
RY5
Port
User
g)fA
Application : FileZilla
SMTP Email Address
Email
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
HTTP User
HTTP Server URL
POP3 User
IMP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
winmmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzmorhk
Application :
l:1
d:o
^3[47][0-9]{13}$
Amex Card
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
6(?:011|5[0-9]{2})[0-9]{12}$
Discover Card
^63[7-9][0-9]{13}$
Ista Payment Card
^(?:2131|1800|35\\d{3})\\d{11}
JCB Card
5[1-5][0-9]{14}$
KoreanLocalCard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Maestro Card
Mastercard
Solo Card
Switch Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
Express Card
\logins.json
\signons.sqlite
WScript.Shell
Foxmail.exe
Storage\
O4xd3
Data\
\Accounts\Account.rec0
\Account.stg
\AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
hostname
CDOh
\Local State
LOCALAPPDATA
AppData
CUSTOM
(.P
bin.base64
EshA
qP*
7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs
6542615755
credentials
Application : NordVPN
Protocol :
IMAP User Name
SMTP Server
Password
VBScript.RegExp
Microsoft
^9[0-9]{15}$
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2065:03:10 03:47:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 32256
InitializedDataSize: 412672
UninitializedDataSize: -
EntryPoint: 0x7200a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: VXVYDF
FileVersion: 1.0.0.0
InternalName: VXVYDF.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: VXVYDF.exe
ProductName: VXVYDF
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mod 347.exe no specs #DARKCLOUD caspol.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5200"C:\Users\admin\AppData\Local\Temp\Mod 347.exe" C:\Users\admin\AppData\Local\Temp\Mod 347.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
VXVYDF
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\mod 347.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6196"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Mod 347.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework CAS Policy Manager
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\caspol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
DarkCloud
(PID) Process(6196) CasPol.exe
C2https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755
Strings (123)Cookies
Messages
Contacts
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
Password :
Software\FTPWare\COEFTP\Sites
Application : Pidgin
Software\Martin Prikryl\WinSCP 2\Sessions
.txt
RY5
Port
User
g)fA
Application : FileZilla
SMTP Email Address
Email
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
HTTP User
HTTP Server URL
POP3 User
IMP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
winmmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzmorhk
Application :
l:1
d:o
^3[47][0-9]{13}$
Amex Card
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
6(?:011|5[0-9]{2})[0-9]{12}$
Discover Card
^63[7-9][0-9]{13}$
Ista Payment Card
^(?:2131|1800|35\\d{3})\\d{11}
JCB Card
5[1-5][0-9]{14}$
KoreanLocalCard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Maestro Card
Mastercard
Solo Card
Switch Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
Express Card
\logins.json
\signons.sqlite
WScript.Shell
Foxmail.exe
Storage\
O4xd3
Data\
\Accounts\Account.rec0
\Account.stg
\AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
hostname
CDOh
\Local State
LOCALAPPDATA
AppData
CUSTOM
(.P
bin.base64
EshA
qP*
7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs
6542615755
credentials
Application : NordVPN
Protocol :
IMAP User Name
SMTP Server
Password
VBScript.RegExp
Microsoft
^9[0-9]{15}$
Total events
81
Read events
81
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6068
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5728
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7032
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7032
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6068
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6068
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6068
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.147
  • 104.126.37.136
  • 104.126.37.137
  • 104.126.37.145
  • 104.126.37.138
  • 104.126.37.146
  • 104.126.37.154
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.22
  • 20.190.160.65
  • 20.190.160.130
  • 20.190.160.128
  • 20.190.160.17
  • 20.190.160.4
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mod 347.exe