darkvnc | e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6

Analysis

Target

zdnDE6F.tmp.dll
Size

1.3MB
MD5

108b97c82934dd23e8d7cd9534ad2685
SHA1

991d8933b8afe85c743321050c63c34dad9eb69a
SHA256

e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6
SHA512

0e902f5e0a34326e14d1df413265fa3057094091897b4e3c3e7e34eec511cfbdf9d99b4a9c1efc537f0ea977c0bcc38683fff9cbb4acb6a25e680c9c0931e0fc

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1076-62-0x00000000741B0000-0x0000000074397000-memory.dmp	darkvnc
behavioral1/memory/1076-61-0x00000000741B0000-0x000000007423A000-memory.dmp	darkvnc
behavioral1/memory/1624-67-0x0000000001B80000-0x0000000001C4A000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 1624	1076	rundll32.exe	30

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1076	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1240 wrote to memory of 1076	1240	rundll32.exe	26
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30
PID 1076 wrote to memory of 1624	1076	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\zdnDE6F.tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\zdnDE6F.tmp.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe
    3⤵
    PID:1624

memory/1076-60-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1076-62-0x00000000741B0000-0x0000000074397000-memory.dmp

Filesize
1.9MB

Download
memory/1076-61-0x00000000741B0000-0x000000007423A000-memory.dmp

Filesize
552KB

Download
memory/1076-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1624-64-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1624-66-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1624-67-0x0000000001B80000-0x0000000001C4A000-memory.dmp

Filesize
808KB

Download