darkvnc | 5895164454aba620b70384013953a9e1e8e0b90166bd5fb849275e42071f0025

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 23:20

Target

a79c261f6fae161ede7489db34ca3813.exe
Size

513KB
MD5

a79c261f6fae161ede7489db34ca3813
SHA1

c2d6bb13082a20c0fe6a97d49a01d5f39355e952
SHA256

5895164454aba620b70384013953a9e1e8e0b90166bd5fb849275e42071f0025
SHA512

6097dd911f5ca54e7df4281bae393b0a91abf601a89af33b726e177855c7060045db843763b9dff147b589cbf67a3daddf8b584a9f7adb340da377ce089c80a7
SSDEEP

12288:BwtKX9ioiqHf5svc1pG0GniZnI3dS0hTmc2IgsHMRmoemwy:+otioJnwxnynI3dWc2IgMTVmH

Score

10^/10

darkvnc rat

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2272-4-0x0000000000940000-0x00000000009C8000-memory.dmp	darkvnc
behavioral1/memory/2272-3-0x0000000000400000-0x0000000000937000-memory.dmp	darkvnc
behavioral1/memory/3000-6-0x0000000001B30000-0x0000000001BFA000-memory.dmp	darkvnc
behavioral1/memory/3000-11-0x0000000001B30000-0x0000000001BFA000-memory.dmp	darkvnc
behavioral1/memory/2272-12-0x0000000000400000-0x0000000000937000-memory.dmp	darkvnc

Suspicious use of SetThreadContext 1 IoCs

Processes:

a79c261f6fae161ede7489db34ca3813.exe

description pid process target process

PID 2272 set thread context of 3000 2272 a79c261f6fae161ede7489db34ca3813.exe WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a79c261f6fae161ede7489db34ca3813.exe

pid process

2272 a79c261f6fae161ede7489db34ca3813.exe

description	pid	process	target process
PID 2272 set thread context of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe

pid	process
2272	a79c261f6fae161ede7489db34ca3813.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a79c261f6fae161ede7489db34ca3813.exe

description	pid	process	target process
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe
PID 2272 wrote to memory of 3000	2272	a79c261f6fae161ede7489db34ca3813.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a79c261f6fae161ede7489db34ca3813.exe
"C:\Users\Admin\AppData\Local\Temp\a79c261f6fae161ede7489db34ca3813.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe
  2⤵
  PID:3000

memory/2272-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2272-4-0x0000000000940000-0x00000000009C8000-memory.dmp

Filesize
544KB

Download
memory/2272-3-0x0000000000400000-0x0000000000937000-memory.dmp

Filesize
5.2MB

Download
memory/2272-12-0x0000000000400000-0x0000000000937000-memory.dmp

Filesize
5.2MB

Download
memory/3000-5-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/3000-7-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3000-6-0x0000000001B30000-0x0000000001BFA000-memory.dmp

Filesize
808KB

Download
memory/3000-11-0x0000000001B30000-0x0000000001BFA000-memory.dmp

Filesize
808KB

Download