darkvnc | 43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c

Analysis

Target

idu567.tmp.dll
Size

1.6MB
MD5

18c3793f2df5ae48b55a9a1825b1c1fb
SHA1

8e90dc300bb91dd6ce57566116b156e3473cf646
SHA256

43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
SHA512

1ebe4bbb0fd571e5d712e52b47012de1eb587008a59e1e1f3fe69ae8a9637e5466d9d8c2c0887d733734f77909e5530307c564b2218b895b88657455e49a47a0

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1184-61-0x00000000743A0000-0x000000007442A000-memory.dmp	darkvnc
behavioral1/memory/1184-62-0x00000000743A0000-0x00000000745E3000-memory.dmp	darkvnc
behavioral1/memory/1764-67-0x0000000001BF0000-0x0000000001CBA000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1184 set thread context of 1764 1184 rundll32.exe WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1184 rundll32.exe

description	pid	process	target process
PID 1184 set thread context of 1764	1184	rundll32.exe	WerFault.exe

pid	process
1184	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 1184	1916	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe
PID 1184 wrote to memory of 1764	1184	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe
    3⤵
    PID:1764

memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1184-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1184-61-0x00000000743A0000-0x000000007442A000-memory.dmp

Filesize
552KB

Download
memory/1184-62-0x00000000743A0000-0x00000000745E3000-memory.dmp

Filesize
2.3MB

Download
memory/1184-65-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1764-63-0x0000000000000000-mapping.dmp

Download
memory/1764-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1764-66-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1764-67-0x0000000001BF0000-0x0000000001CBA000-memory.dmp

Filesize
808KB

Download