darkvnc | d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a

General

Target

d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe
Size

448KB
MD5

64b4db1046496c57a0779befc72c264d
SHA1

71cfbee47a5b6f0bb18bba914b5896b3037cfeab
SHA256

d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a
SHA512

d59bf100032299d10e6737d9489202545ce4cf3b403407da0ba0fbbd0f72b502478ce3557008ad785e146041a100e2e48ba1d9414a983d954cea7437c424f3da

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 636 created 996	636	WerFault.exe	67

DarkVNC Payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/996-114-0x0000000004A20000-0x0000000004AA8000-memory.dmp	darkvnc
behavioral1/memory/996-117-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/3452-119-0x0000016AEFC60000-0x0000016AEFF59000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
636	996	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75
PID 996 wrote to memory of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75
PID 996 wrote to memory of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75
PID 996 wrote to memory of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75
PID 996 wrote to memory of 3452	996	d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe	75

C:\Users\Admin\AppData\Local\Temp\d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe
"C:\Users\Admin\AppData\Local\Temp\d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 484
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636

memory/996-114-0x0000000004A20000-0x0000000004AA8000-memory.dmp

Filesize
544KB

Download
memory/996-117-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/3452-118-0x0000016AEFA60000-0x0000016AEFA89000-memory.dmp

Filesize
164KB

Download
memory/3452-119-0x0000016AEFC60000-0x0000016AEFF59000-memory.dmp

Filesize
3.0MB

Download