File name:

TRANSFER.EXE

Full analysis: https://app.any.run/tasks/ecc4bf0e-acfe-438f-bec2-721e69e90783
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 05, 2023, 14:29:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
darkcloud
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

690C38349BC27D13DF0EA4936F8A7447

SHA1:

3E362375C73B19A9536E5FDD960330A0CDC1272A

SHA256:

C4D31C615DCCF6366E28B92B5938735D5A16F8D014A96231582EA7BC8FEBF321

SSDEEP:

12288:FbuSa94ZILYR2b+H6j496jzFY5YbheYRdmo/a7Y:FbuSk4ZIYR2b+H6j496jzFY5OheYRdVl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCLOUD has been detected (YARA)

      • CasPol.exe (PID: 792)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • TRANSFER.EXE (PID: 2820)
      • CasPol.exe (PID: 792)

    • Reads the computer name

      • TRANSFER.EXE (PID: 2820)

    • Reads the machine GUID from the registry

      • TRANSFER.EXE (PID: 2820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DarkCloud

(PID) Process(792) CasPol.exe
C2https://api.telegram.org/bot6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8/sendMessage?chat_id=6800267549
Strings (130)Cookies
Messages
Contacts
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
Password :
Application : NordVPN
User
Protocol :
Software\FTPWare\COREFTP\Sites
Software\Martin Prikryl\WinSCP 2\Sessios
.txt
Application : Pidgin
Host
Port
Ob-!
Application : FileZilla
SMTP Email Address
sR|sS (UK~2
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
winmgmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Microsoft
Password
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzimorhk
Amex Card
Application:
^3[47][0-9]{13}$
f U
c$(
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
6(?:011|5[0-9]{2})[0-9]{12}$
Discover Card
Insta Payment Card
^(?:2131|1800|35\\d{3})\\d{11}$
Switch Card
^9[0-9]{15}$
KoreanLocalCard
Mastercard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
5[1-5][0-9]{14}$
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
aetro Card
Data\
Solo Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
Express Card
\logins.json
\signons.sqlite
WScript.Shell
Foxmail.exe
Storage\
(R_je
\Accounts\Account.rec0
\Account.stg
AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgoingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
! |2
\Local State
LOCALAPPDATA
AppData
CUSTOM
gP
bin.base64
GX!p
6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8
6800267549
R ko
Select * from Win32_ComputerSystem
\cookies.db
\Cookies
\cookies.sqlite
http://showip.net
http://www.mediacollege.com/internet/utilities/show-ip.shtml
credentials
VBScript.RegExp
^63[7-9][0-9]{13}
JCB Card
hostname
\Default\Cookies
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2085:09:24 08:58:42+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 346112
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x5666e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: MKiJ987
FileVersion: 1.0.0.0
InternalName: MKiJ987.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: MKiJ987.exe
ProductName: MKiJ987
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start transfer.exe no specs #DARKCLOUD caspol.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
792"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
TRANSFER.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework CAS Policy Manager
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\caspol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
DarkCloud
(PID) Process(792) CasPol.exe
C2https://api.telegram.org/bot6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8/sendMessage?chat_id=6800267549
Strings (130)Cookies
Messages
Contacts
COMPUTERNAME
USERNAME
Screenshot
KeyData
CryptoWallets
Files
\Default\Login Data
\Login Data
\user.config
//setting[@name='Username']/value
//setting[@name='Password']/value
Username :
Password :
Application : NordVPN
User
Protocol :
Software\FTPWare\COREFTP\Sites
Software\Martin Prikryl\WinSCP 2\Sessios
.txt
Application : Pidgin
Host
Port
Ob-!
Application : FileZilla
SMTP Email Address
sR|sS (UK~2
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
winmgmts:{impersonationLevel=impersonate}!\\
\root\default:StdRegProv
Microsoft
Password
Application: Outlook
COREFTP
Application: CoreFTP
hdfzpysvpzimorhk
Amex Card
Application:
^3[47][0-9]{13}$
f U
c$(
^(6541|6556)[0-9]{12}$
BCGlobal
^389[0-9]{11}$
Carte Blanche Card
^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Diners Club Card
6(?:011|5[0-9]{2})[0-9]{12}$
Discover Card
Insta Payment Card
^(?:2131|1800|35\\d{3})\\d{11}$
Switch Card
^9[0-9]{15}$
KoreanLocalCard
Mastercard
^(6304|6706|6709|6771)[0-9]{12,15}$
Laser Card
5[1-5][0-9]{14}$
^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
aetro Card
Data\
Solo Card
^(62[0-9]{14,17})$
Union Pay Card
4[0-9]{12}(?:[0-9]{3})?$
Visa Card
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Visa Master Card
3[47][0-9]{13}$
Express Card
\logins.json
\signons.sqlite
WScript.Shell
Foxmail.exe
Storage\
(R_je
\Accounts\Account.rec0
\Account.stg
AccCfg\Accounts.tdat
\Account.rec0
EnableSignature
PeriodicCheckTime
OutgoingServer
OutgoingSSL
Application : FoxMail
nextId
encryptedUsername
logins
encryptedPassword
! |2
\Local State
LOCALAPPDATA
AppData
CUSTOM
gP
bin.base64
GX!p
6946449919:AAGrwsEUPXNuNb2IKsVchu8VgWMNPhHYEN8
6800267549
R ko
Select * from Win32_ComputerSystem
\cookies.db
\Cookies
\cookies.sqlite
http://showip.net
http://www.mediacollege.com/internet/utilities/show-ip.shtml
credentials
VBScript.RegExp
^63[7-9][0-9]{13}
JCB Card
hostname
\Default\Cookies
2820"C:\Users\admin\AppData\Local\Temp\TRANSFER.EXE" C:\Users\admin\AppData\Local\Temp\TRANSFER.EXEexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MKiJ987
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\transfer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
Total events
91
Read events
91
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TRANSFER.EXE