darkvision | 93a61c234e788db0e457a4200650cb65eae29963b53e718842857627be362f89

General

Target

CraxsR76.bat
Size

769KB
MD5

a65ffe9a5a2c4d89bad9b84de0f7ce07
SHA1

001154c78285312645a1e27f961b588c717f87e7
SHA256

5299e8eb13c074c3193ee0e8c1586747687964c0944081fc25784e006353ea85
SHA512

655e9e14f5f0fdeac469b1772f28aec8be5458d9b68b7667a23c18c84a04366a6239154ffaaafb2120261000219ea50003ac6946cbdf2775fee8997e7d13cc9f
SSDEEP

12288:fIwxBr74Qz56RqQdgN+p1gZVpqFprjL9R85QLFZIiK:V98661gmCv8L785Q5K

Score

10^/10

darkvision defense_evasion discovery persistence rat

Malware Config

Extracted

Family

darkvision

C2

91.92.241.132

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{2F02CBCC-E614-41F3-A3BF-71EA7386B896}.lnk	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1892	z88m1jq3dq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\Users\\Admin\\AppData\\Roaming\\wdir\\X5R.exe {9BE0A78E-D296-44BB-AB0C-D66D2FE615FE}"	explorer.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2352	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z88m1jq3dq.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1892	z88m1jq3dq.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1892	z88m1jq3dq.exe
1892	z88m1jq3dq.exe
1892	z88m1jq3dq.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2352	2068	cmd.exe	32
PID 2068 wrote to memory of 2352	2068	cmd.exe	32
PID 2068 wrote to memory of 2352	2068	cmd.exe	32
PID 2068 wrote to memory of 1892	2068	cmd.exe	33
PID 2068 wrote to memory of 1892	2068	cmd.exe	33
PID 2068 wrote to memory of 1892	2068	cmd.exe	33
PID 2068 wrote to memory of 1892	2068	cmd.exe	33
PID 1892 wrote to memory of 2280	1892	z88m1jq3dq.exe	34
PID 1892 wrote to memory of 2280	1892	z88m1jq3dq.exe	34
PID 1892 wrote to memory of 2280	1892	z88m1jq3dq.exe	34
PID 1892 wrote to memory of 2280	1892	z88m1jq3dq.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsR76.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.exe

Filesize
560KB

MD5
8b05d89985316bf554044a33ce820378

SHA1
d8487bbb42f29b2eadee0ecee3e56c3c22fa9b23

SHA256
a2c7f34abdda0f648f2d18b2534e5e6e68ee366853ff1b4d40e09554be3dbb42

SHA512
fcb19006a27e91c866b01b88ae1875d488cef3249d2f6ae536ac50889450b761ea2d51535c24c1b1ab147e304d0549a1abd2a2d1ad019e5c1e698778ad4f3511

Download Submit
C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt

Filesize
6KB

MD5
08c8fabf375fc8c52dacdc63619da360

SHA1
818b431c58e47597d320fc16cf48d3343b8550ee

SHA256
80c346cf12e337ad746b444decac081043422e1816ad6b3c4eb9c43c1927cf2e

SHA512
f161fbe14ac01cb7fe9476d9c3cbe0890d147519bdfd14a4a97ec54e7af87d0eab83a5e0f87f7a69082a44257c615a41761013848ca78648de85485d22c8b962

Download Submit
C:\Users\Admin\AppData\Local\Temp\z88m1jq3dq.txt

Filesize
750KB

MD5
10c4f20db1e13a3f88cc389711fe0ec9

SHA1
296599a4d1c3ae0f855840f22a233bb7572e7471

SHA256
7d41cc6ca6a26da1990ca4284f5e2003d27d9da24ae04c71a27d5aa789cb7ddd

SHA512
da13f0b93402bf9f51399dc4379698c0e9d718a4121ff1fe6790901ce7403445b92589a6d2e815df6e57a64aeab4ccf12f933a31fff402a80b8eeb8b78645e85

Download Submit
memory/2280-961-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2280-974-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/2280-971-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2280-969-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/2280-962-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/2280-975-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads