darkvnc | 43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c

Analysis

Target

idu567.tmp.dll
Size

1.6MB
MD5

18c3793f2df5ae48b55a9a1825b1c1fb
SHA1

8e90dc300bb91dd6ce57566116b156e3473cf646
SHA256

43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
SHA512

1ebe4bbb0fd571e5d712e52b47012de1eb587008a59e1e1f3fe69ae8a9637e5466d9d8c2c0887d733734f77909e5530307c564b2218b895b88657455e49a47a0

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4868-115-0x0000000073660000-0x00000000736EA000-memory.dmp	darkvnc
behavioral2/memory/4868-116-0x0000000073660000-0x00000000738A3000-memory.dmp	darkvnc
behavioral2/memory/2432-121-0x00000195FA8A0000-0x00000195FAB99000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4868 set thread context of 2432 4868 rundll32.exe WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4868 rundll32.exe

description	pid	process	target process
PID 4868 set thread context of 2432	4868	rundll32.exe	WerFault.exe

pid	process
4868	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4796 wrote to memory of 4868	4796	rundll32.exe	rundll32.exe
PID 4796 wrote to memory of 4868	4796	rundll32.exe	rundll32.exe
PID 4796 wrote to memory of 4868	4796	rundll32.exe	rundll32.exe
PID 4868 wrote to memory of 2432	4868	rundll32.exe	WerFault.exe
PID 4868 wrote to memory of 2432	4868	rundll32.exe	WerFault.exe
PID 4868 wrote to memory of 2432	4868	rundll32.exe	WerFault.exe
PID 4868 wrote to memory of 2432	4868	rundll32.exe	WerFault.exe
PID 4868 wrote to memory of 2432	4868	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\idu567.tmp.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe
    3⤵
    PID:2432

memory/2432-118-0x0000000000000000-mapping.dmp

Download
memory/2432-121-0x00000195FA8A0000-0x00000195FAB99000-memory.dmp

Filesize
3.0MB

Download
memory/2432-120-0x00000195FA750000-0x00000195FA751000-memory.dmp

Filesize
4KB

Download
memory/4868-114-0x0000000000000000-mapping.dmp

Download
memory/4868-115-0x0000000073660000-0x00000000736EA000-memory.dmp

Filesize
552KB

Download
memory/4868-116-0x0000000073660000-0x00000000738A3000-memory.dmp

Filesize
2.3MB

Download
memory/4868-117-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download