darkvnc | 549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e

Analysis

Target

c1b1b337c38d525e3430e3c1e90ae355.exe
Size

416KB
MD5

c1b1b337c38d525e3430e3c1e90ae355
SHA1

93095f8cb0d9c047eaaa28441174824e0a60f69d
SHA256

549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e
SHA512

7ba20b2ac63f87a0c25d5edb61425a16040c65b0fe2cfa21e654f5a4bec070d1525b47c217afe713fec85d435c7292f48e85924e28585553a400610fa186c980

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3924 created 3560	3924	WerFault.exe	65

DarkVNC Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3560-116-0x0000000000400000-0x0000000000612000-memory.dmp	darkvnc
behavioral2/memory/2224-118-0x000001BDDC890000-0x000001BDDC95A000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3560 set thread context of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	3560	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3560	c1b1b337c38d525e3430e3c1e90ae355.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75
PID 3560 wrote to memory of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75
PID 3560 wrote to memory of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75
PID 3560 wrote to memory of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75
PID 3560 wrote to memory of 2224	3560	c1b1b337c38d525e3430e3c1e90ae355.exe	75

C:\Users\Admin\AppData\Local\Temp\c1b1b337c38d525e3430e3c1e90ae355.exe
"C:\Users\Admin\AppData\Local\Temp\c1b1b337c38d525e3430e3c1e90ae355.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 520
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

memory/2224-117-0x000001BDDC6F0000-0x000001BDDC6F1000-memory.dmp

Filesize
4KB

Download
memory/2224-118-0x000001BDDC890000-0x000001BDDC95A000-memory.dmp

Filesize
808KB

Download
memory/3560-116-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/3560-115-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download