darkvnc | bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 07:16

Target

2d0b8663c370b76694a77d6ce5f3897c.exe
Size

448KB
MD5

2d0b8663c370b76694a77d6ce5f3897c
SHA1

f803c6a204231bf80b8ee47912c43d597dbfda8f
SHA256

bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330
SHA512

837d15e30285cdc0b8935bb1f72d06e2c9cd96423dffd81586ed692d27a432496c9da8413c8f356a9be02cb53f9fddd967f724f17799169baf0465ddce49388d
SSDEEP

12288:6QcCNAX253YeA+2CzSIPi2eWW7IP8T9C57h:6QcCNfpi+vJBc9I

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmp	darkvnc
behavioral1/memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1380	2d0b8663c370b76694a77d6ce5f3897c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	28

C:\Users\Admin\AppData\Local\Temp\2d0b8663c370b76694a77d6ce5f3897c.exe
"C:\Users\Admin\AppData\Local\Temp\2d0b8663c370b76694a77d6ce5f3897c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:2320

memory/1380-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

Filesize
1024KB

Download
memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmp

Filesize
544KB

Download
memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmp

Filesize
544KB

Download
memory/2320-4-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download
memory/2320-9-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download
memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download