darkvnc | 549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e

Analysis

Target

c1b1b337c38d525e3430e3c1e90ae355.exe
Size

416KB
MD5

c1b1b337c38d525e3430e3c1e90ae355
SHA1

93095f8cb0d9c047eaaa28441174824e0a60f69d
SHA256

549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e
SHA512

7ba20b2ac63f87a0c25d5edb61425a16040c65b0fe2cfa21e654f5a4bec070d1525b47c217afe713fec85d435c7292f48e85924e28585553a400610fa186c980

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/336-63-0x0000000000690000-0x0000000000718000-memory.dmp	darkvnc
behavioral1/memory/336-64-0x0000000000400000-0x0000000000612000-memory.dmp	darkvnc
behavioral1/memory/1360-66-0x0000000001C00000-0x0000000001CCA000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
336	c1b1b337c38d525e3430e3c1e90ae355.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29
PID 336 wrote to memory of 1360	336	c1b1b337c38d525e3430e3c1e90ae355.exe	29

C:\Users\Admin\AppData\Local\Temp\c1b1b337c38d525e3430e3c1e90ae355.exe
"C:\Users\Admin\AppData\Local\Temp\c1b1b337c38d525e3430e3c1e90ae355.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:1360

memory/336-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/336-63-0x0000000000690000-0x0000000000718000-memory.dmp

Filesize
544KB

Download
memory/336-64-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1360-62-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

Filesize
8KB

Download
memory/1360-66-0x0000000001C00000-0x0000000001CCA000-memory.dmp

Filesize
808KB

Download
memory/1360-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download