darkvnc | bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 07:16

Target

2d0b8663c370b76694a77d6ce5f3897c.exe
Size

448KB
MD5

2d0b8663c370b76694a77d6ce5f3897c
SHA1

f803c6a204231bf80b8ee47912c43d597dbfda8f
SHA256

bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330
SHA512

837d15e30285cdc0b8935bb1f72d06e2c9cd96423dffd81586ed692d27a432496c9da8413c8f356a9be02cb53f9fddd967f724f17799169baf0465ddce49388d
SSDEEP

12288:6QcCNAX253YeA+2CzSIPi2eWW7IP8T9C57h:6QcCNfpi+vJBc9I

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmp	darkvnc
behavioral1/memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmp	darkvnc
behavioral1/memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmp	darkvnc
behavioral1/memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d0b8663c370b76694a77d6ce5f3897c.exe

description pid process target process

PID 1380 set thread context of 2320 1380 2d0b8663c370b76694a77d6ce5f3897c.exe WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2d0b8663c370b76694a77d6ce5f3897c.exe

pid process

1380 2d0b8663c370b76694a77d6ce5f3897c.exe

description	pid	process	target process
PID 1380 set thread context of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe

pid	process
1380	2d0b8663c370b76694a77d6ce5f3897c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2d0b8663c370b76694a77d6ce5f3897c.exe

description	pid	process	target process
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe
PID 1380 wrote to memory of 2320	1380	2d0b8663c370b76694a77d6ce5f3897c.exe	WerFault.exe

memory/1380-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

Filesize
1024KB

Download
memory/1380-2-0x0000000000220000-0x00000000002A8000-memory.dmp

Filesize
544KB

Download
memory/1380-5-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/1380-14-0x0000000000400000-0x0000000002CA6000-memory.dmp

Filesize
40.6MB

Download
memory/1380-15-0x0000000000220000-0x00000000002A8000-memory.dmp

Filesize
544KB

Download
memory/2320-4-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2320-7-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download
memory/2320-9-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download
memory/2320-13-0x0000000001C20000-0x0000000001CEA000-memory.dmp

Filesize
808KB

Download