darkvision | b9e724730282edffa71360eba20d3d461bdda32ec3445571a27a57ea75ef6c81

Analysis

max time kernel
34s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hunter.exe
Size

453KB
MD5

f2d7130f55f26b026699f8c21d0aa262
SHA1

9c9954a10b95900fc4e0696973d1d030b3ec12d6
SHA256

3024dda41d8c20fe676b52db4308e87d3322446ffc4e3e67f8437a31b436e04a
SHA512

a0a4745791ed9357e1731d5eb583865670599f0aafa9b3b23dcd486b540462ad61e2649216e6fe57f617129378c0b827ed31970904428abe3605615597506f6e
SSDEEP

6144:+MdVKz+LuaBM4/1qrbbYTsHYU6Aez8HVWIrJMA:LLXqrH+R+T

Score

10^/10

darkvision persistence rat

Malware Config

Extracted

Family

darkvision

45.200.148.238

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Deletes itself 1 IoCs

pid	Process
2720	explorer.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{1BB636C1-BB39-4E3A-A75B-FE77D986CD4B}.lnk	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\SVHost\\Server,exe {1149E89C-5140-4775-8B58-A05B32B01D5D}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\SVHost\\Server,exe {1149E89C-5140-4775-8B58-A05B32B01D5D}"	explorer.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2260	Hunter.exe
2260	Hunter.exe
2260	Hunter.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2720	2260	Hunter.exe	83
PID 2260 wrote to memory of 2720	2260	Hunter.exe	83

C:\Users\Admin\AppData\Local\Temp\Hunter.exe
"C:\Users\Admin\AppData\Local\Temp\Hunter.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Adds Run key to start application
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-0-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000002A90000-0x0000000002B0A000-memory.dmp

Filesize
488KB

Download
memory/2720-8-0x0000000002A90000-0x0000000002B0A000-memory.dmp

Filesize
488KB

Download
memory/2720-12-0x0000000002A90000-0x0000000002B0A000-memory.dmp

Filesize
488KB

Download
memory/2720-13-0x0000000002A90000-0x0000000002B0A000-memory.dmp

Filesize
488KB

Download
memory/2720-14-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads