Extracted

• • Target

    c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8.hta

  • Size

    25KB

  • MD5

    03f88b6e5c92cf8865b13fb7495eac0a

  • SHA1

    5f8a0e82674b25a9ef0f5d93f23075b1d7fb632b

  • SHA256

    c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8

  • SHA512

    6d3baedcb209cbeb080c0a5bf31c33441f2c31f3fba77c95e7ff7c549db05871564fca22b30971e0e8465aa9822cb64a06ec7daa7911c7c9318ee4ebcd267d94

  • SSDEEP

    192:b4sMlPX9+eCSEXxJckNfWMLAxdEW0UDqSbsCxLuoe23qNT2xZg6w0JGppinxDkdv:b4pX9+eCSEZLgi23q+gSIuq

  Score

  10^/10

  darkvisiondiscoveryexecutionpersistenceratcollectionspywarestealer

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision

  • Darkvision family

    darkvision

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Start PowerShell.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2