Overview

overview

10

Static

static

1

b11bfaa78d...7d.lnk

windows7-x64

8

b11bfaa78d...7d.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4dab3e7b78ccfc190b36eb728b6e74d0.bin

  • Size

    1KB

  • Sample

    241229-bl3awaxpbw

  • MD5

    43cfa7e36d69035fb9973c2506a99f71

  • SHA1

    cbf7c87ff431da87a0f21eb8cae608a7051224e1

  • SHA256

    1620698c8c272a8fa626dff31c4ad75c160700a9b6c1c9d6ba9387e53a6b4ce2

  • SHA512

    6332c1afb2a08c79d25ca259c4cb2b0bb6da5d7f9276dbc679d45abdd5534040ebf393acd7836088b7d7cdcc162a21d0ecc8cf35d26aa0cd28f1dc398de8ab88

Score
10/10
darkvisionexecutionrat

Malware Config

Targets

    • Target

      b11bfaa78d9b614cf39cc02d64fe8c115085ce39c9b747913705a6520e8a7e7d.lnk

    • Size

      2KB

    • MD5

      4dab3e7b78ccfc190b36eb728b6e74d0

    • SHA1

      296f5169adbc438e4ec1610d46c0f451417b7b71

    • SHA256

      b11bfaa78d9b614cf39cc02d64fe8c115085ce39c9b747913705a6520e8a7e7d

    • SHA512

      227e416b6f1f3e465d02da79c9683348d7e26c016fc7c9aa37b9e11189ecb351f0f9d992548182af6831b56e81f2301bd6169ba539aa203457b0823d27a11ee0

    Score
    10/10
    executiondarkvisionrat

    • DarkVision Rat

      DarkVision Rat is a trojan written in C++.

      ratdarkvision

    • Darkvision family

      darkvision

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks