darkvision | d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6

General

Target

d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe
Size

1.1MB
MD5

4c99b8a6627bee05a1de8d9061631551
SHA1

4cb8a13eb146431ee6d45d4b8daab7088e9ae5c2
SHA256

d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6
SHA512

a17a604f3eda7d04dff453ebe3548b25e43c1fe9f0cd9702a75c20cd87ad16adafb1d3edae8f8c886a1b81173a4fbbdec7d5fd009feb3869701e9cb170756b42
SSDEEP

24576:BftC16YGW3ad7jWpZAgcteeJp5uXirVpVwL03E+g1RRN9wVQ:BfYhwd7jkAgc1BrVrPEtRd

Score

10^/10

darkvision rat

Malware Config

Extracted

Family

darkvision

C2

http://fiestagrandefm.com/ss/upload.php

85.209.133.9

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Downloads MZ/PE file
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2744	vbc.exe
2744	vbc.exe
2744	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2916 wrote to memory of 2744	2916	d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe	31
PID 2744 wrote to memory of 2704	2744	vbc.exe	32
PID 2744 wrote to memory of 2704	2744	vbc.exe	32
PID 2744 wrote to memory of 2704	2744	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe
"C:\Users\Admin\AppData\Local\Temp\d5001f35264c4470284bfad49145318d9c68700fe34b7bad8fbdc391500b3eb6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\EXPLORER.EXE
    C:\Windows\EXPLORER.EXE {F34EC6D1-895B-4806-959C-01B8FEAFF719}
    3⤵
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-23-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2704-36-0x0000000000490000-0x0000000000593000-memory.dmp

Filesize
1.0MB

Download
memory/2704-35-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2704-30-0x0000000000490000-0x0000000000593000-memory.dmp

Filesize
1.0MB

Download
memory/2704-24-0x0000000000490000-0x0000000000593000-memory.dmp

Filesize
1.0MB

Download
memory/2744-21-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-15-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2744-38-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-9-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-8-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-11-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-10-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-16-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-20-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-19-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-18-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-37-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-14-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-13-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2744-12-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/2916-22-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-0-0x000007FEF67C3000-0x000007FEF67C4000-memory.dmp

Filesize
4KB

Download
memory/2916-5-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-4-0x000007FEF67C3000-0x000007FEF67C4000-memory.dmp

Filesize
4KB

Download
memory/2916-3-0x0000000002090000-0x00000000020B6000-memory.dmp

Filesize
152KB

Download
memory/2916-2-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x000000013FE50000-0x000000013FF6A000-memory.dmp

Filesize
1.1MB

Download
memory/2916-6-0x00000000007D0000-0x00000000007E4000-memory.dmp

Filesize
80KB

Download
memory/2916-7-0x000000001CE80000-0x000000001CF38000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing