darkvision | d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6

Resubmissions

25-11-2024 20:05

241125-yts4hatnbw 10

19-11-2024 09:15

241119-k7462aykbj 10

Analysis

max time kernel
61s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe
Size

1.1MB
MD5

4c99b8a6627bee05a1de8d9061631551
SHA1

4cb8a13eb146431ee6d45d4b8daab7088e9ae5c2
SHA256

d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6
SHA512

a17a604f3eda7d04dff453ebe3548b25e43c1fe9f0cd9702a75c20cd87ad16adafb1d3edae8f8c886a1b81173a4fbbdec7d5fd009feb3869701e9cb170756b42
SSDEEP

24576:BftC16YGW3ad7jWpZAgcteeJp5uXirVpVwL03E+g1RRN9wVQ:BfYhwd7jkAgc1BrVrPEtRd

Score

10^/10

darkvision rat

Malware Config

Extracted

Family

darkvision

http://fiestagrandefm.com/ss/upload.php

85.209.133.9

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Downloads MZ/PE file
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4332 set thread context of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1180	vbc.exe
1180	vbc.exe
1180	vbc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 4332 wrote to memory of 1180	4332	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	99
PID 1180 wrote to memory of 4812	1180	vbc.exe	101
PID 1180 wrote to memory of 4812	1180	vbc.exe	101

C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe
"C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\EXPLORER.EXE
    C:\Windows\EXPLORER.EXE {F34EC6D1-895B-4806-959C-01B8FEAFF719}
    3⤵
    PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-8-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-34-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-33-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-30-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-13-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-14-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-12-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1180-10-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4332-5-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-7-0x000002643B120000-0x000002643B1D8000-memory.dmp

Filesize
736KB

Download
memory/4332-6-0x0000026420400000-0x0000026420414000-memory.dmp

Filesize
80KB

Download
memory/4332-0-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

Filesize
8KB

Download
memory/4332-15-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-4-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

Filesize
8KB

Download
memory/4332-3-0x00000264203D0000-0x00000264203F6000-memory.dmp

Filesize
152KB

Download
memory/4332-2-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-1-0x000002641FD20000-0x000002641FE3A000-memory.dmp

Filesize
1.1MB

Download
memory/4812-16-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/4812-17-0x00000000013D0000-0x00000000014D3000-memory.dmp

Filesize
1.0MB

Download
memory/4812-23-0x00000000013D0000-0x00000000014D3000-memory.dmp

Filesize
1.0MB

Download
memory/4812-32-0x00000000013D0000-0x00000000014D3000-memory.dmp

Filesize
1.0MB

Download