Overview

overview

10

Static

static

1

Rechnung_2...df.lnk

windows7-x64

10

Rechnung_2...df.lnk

windows10-2004-x64

10

Rechnung_2...df.lnk

windows7-x64

10

Rechnung_2...df.lnk

windows10-2004-x64

10

Rechnung_2...df.lnk

windows7-x64

10

Rechnung_2...df.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29112024_1601_Rechnungens.zip

  • Size

    3KB

  • Sample

    241129-tgan6symgn

  • MD5

    81b1745ee32e396cfa36eed18b1b2927

  • SHA1

    953d7ad0f9d8036fd23f278d5381dd67091e7323

  • SHA256

    781f41c23b460a8b90f0bdb4b2cd0c6642bda3883f45464f016fd9c3b44dbb25

  • SHA512

    6f0fa3df23002fcc0f66ba3f6ebc2b6394af4ac293b2874176f122e855054f08ba9f4414e89b7cfe7abb368ffbb8ca9de2d89709e879d67126f3357a3e0e9b05

Score
10/10
darkvisioncollectiondiscoveryexecutionpersistenceratspywarestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://pub-fee23c54ae4b464fb3904eebeb70c629.r2.dev/upgrade.hta

Extracted

Family

darkvision

C2

5.206.227.213

Extracted

Language
hta
Source
URLs
hta.dropper

https://pub-fee23c54ae4b464fb3904eebeb70c629.r2.dev/upgrade.hta

Targets

    • Target

      Rechnung_2024_0092.pdf.lnk

    • Size

      3KB

    • MD5

      22c803dba48be47631f50a2bc486663d

    • SHA1

      62061211cc2ec3c8d655e0c3217e1e0febb2a4f8

    • SHA256

      7626763bffacecfaaad1880271b0ebc95b3bf961fc21a94e83341641d516adec

    • SHA512

      258635b1c0428a64ad28f0f3d30d24ead81a9e4413a962c49dc5804606931b26046ca048c1e22b4116d1b7f9148e5dcf9c9c6413c06221fce446601da4826709

    Score
    10/10
    darkvisiondiscoveryexecutionpersistenceratcollectionspywarestealer

    • DarkVision Rat

      DarkVision Rat is a trojan written in C++.

      ratdarkvision

    • Darkvision family

      darkvision

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Rechnung_2024_0093.pdf.lnk

    • Size

      3KB

    • MD5

      22c803dba48be47631f50a2bc486663d

    • SHA1

      62061211cc2ec3c8d655e0c3217e1e0febb2a4f8

    • SHA256

      7626763bffacecfaaad1880271b0ebc95b3bf961fc21a94e83341641d516adec

    • SHA512

      258635b1c0428a64ad28f0f3d30d24ead81a9e4413a962c49dc5804606931b26046ca048c1e22b4116d1b7f9148e5dcf9c9c6413c06221fce446601da4826709

    Score
    10/10
    discoveryexecutionpersistencedarkvisioncollectionratspywarestealer

    • DarkVision Rat

      DarkVision Rat is a trojan written in C++.

      ratdarkvision

    • Darkvision family

      darkvision

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Rechnung_2024_0094.pdf.lnk

    • Size

      3KB

    • MD5

      22c803dba48be47631f50a2bc486663d

    • SHA1

      62061211cc2ec3c8d655e0c3217e1e0febb2a4f8

    • SHA256

      7626763bffacecfaaad1880271b0ebc95b3bf961fc21a94e83341641d516adec

    • SHA512

      258635b1c0428a64ad28f0f3d30d24ead81a9e4413a962c49dc5804606931b26046ca048c1e22b4116d1b7f9148e5dcf9c9c6413c06221fce446601da4826709

    Score
    10/10
    darkvisiondiscoveryexecutionpersistenceratcollectionspywarestealer

    • DarkVision Rat

      DarkVision Rat is a trojan written in C++.

      ratdarkvision

    • Darkvision family

      darkvision

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks