darkvnc | 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4

Analysis

Target

8b7f63f120e527135f9bb9a3d7621120.exe
Size

408KB
MD5

8b7f63f120e527135f9bb9a3d7621120
SHA1

70c4b402faade6530f0f0e3a8ccc452f1c2773e7
SHA256

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
SHA512

67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2812 created 3716	2812	WerFault.exe	67

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3716-116-0x0000000000400000-0x00000000008D0000-memory.dmp	darkvnc
behavioral2/memory/3716-115-0x00000000024C0000-0x0000000002548000-memory.dmp	darkvnc
behavioral2/memory/2572-118-0x0000021B14940000-0x0000021B14A0A000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	3716	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3716	8b7f63f120e527135f9bb9a3d7621120.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75
PID 3716 wrote to memory of 2572	3716	8b7f63f120e527135f9bb9a3d7621120.exe	75

C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe
"C:\Users\Admin\AppData\Local\Temp\8b7f63f120e527135f9bb9a3d7621120.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 488
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

memory/2572-117-0x0000021B145E0000-0x0000021B14609000-memory.dmp

Filesize
164KB

Download
memory/2572-118-0x0000021B14940000-0x0000021B14A0A000-memory.dmp

Filesize
808KB

Download
memory/3716-116-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download
memory/3716-115-0x00000000024C0000-0x0000000002548000-memory.dmp

Filesize
544KB

Download