darkvnc | 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4

General

Target

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
Size

408KB
MD5

8b7f63f120e527135f9bb9a3d7621120
SHA1

70c4b402faade6530f0f0e3a8ccc452f1c2773e7
SHA256

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
SHA512

67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 580 created 740	580	WerFault.exe	67

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/740-115-0x0000000002600000-0x0000000002688000-memory.dmp	darkvnc
behavioral2/memory/740-116-0x0000000000400000-0x00000000008D0000-memory.dmp	darkvnc
behavioral2/memory/3184-119-0x000002068A450000-0x000002068A749000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	740	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75
PID 740 wrote to memory of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75
PID 740 wrote to memory of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75
PID 740 wrote to memory of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75
PID 740 wrote to memory of 3184	740	47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe	75

C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 496
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580

memory/740-115-0x0000000002600000-0x0000000002688000-memory.dmp

Filesize
544KB

Download
memory/740-116-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download
memory/3184-118-0x000002068A2B0000-0x000002068A2D9000-memory.dmp

Filesize
164KB

Download
memory/3184-119-0x000002068A450000-0x000002068A749000-memory.dmp

Filesize
3.0MB

Download