darkvnc | 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4

Analysis

Target

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
Size

408KB
MD5

8b7f63f120e527135f9bb9a3d7621120
SHA1

70c4b402faade6530f0f0e3a8ccc452f1c2773e7
SHA256

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
SHA512

67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1816-62-0x00000000020B0000-0x0000000002138000-memory.dmp	darkvnc
behavioral1/memory/1816-63-0x0000000000400000-0x00000000008D0000-memory.dmp	darkvnc
behavioral1/memory/1464-65-0x0000000001B50000-0x0000000001C1A000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26
PID 1816 wrote to memory of 1464	1816	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	26

C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:1464

memory/1464-61-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/1464-64-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1464-65-0x0000000001B50000-0x0000000001C1A000-memory.dmp

Filesize
808KB

Download
memory/1816-59-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1816-62-0x00000000020B0000-0x0000000002138000-memory.dmp

Filesize
544KB

Download
memory/1816-63-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download