darkvision | aeed70a3f936b699e93f18dfc5b4a582a6a08be7d52d8e6229754f96205aecb2

General

Target

009274965.lnk
Size

2KB
Sample

241231-kceynatrbr
MD5

7f070dfbaa6893bb2effac0f2320a1d7
SHA1

293e7f6f6e70a0c7699215b3402dc5ff2bb2bfaa
SHA256

aeed70a3f936b699e93f18dfc5b4a582a6a08be7d52d8e6229754f96205aecb2
SHA512

720b2a90dd051160aeaa1a11a70433213b96f04e8d160c55c699f4fd6af7f1c07db61e110e684d9ce91ad79e987bd809497eb2d52ac2f3bd96cdb289c443b883

Score

10^/10

Malware Config

Extracted

Family

darkvision

C2

acuweld.ddns.net

Targets

- Target
  
  009274965.lnk
- Size
  
  2KB
- MD5
  
  7f070dfbaa6893bb2effac0f2320a1d7
- SHA1
  
  293e7f6f6e70a0c7699215b3402dc5ff2bb2bfaa
- SHA256
  
  aeed70a3f936b699e93f18dfc5b4a582a6a08be7d52d8e6229754f96205aecb2
- SHA512
  
  720b2a90dd051160aeaa1a11a70433213b96f04e8d160c55c699f4fd6af7f1c07db61e110e684d9ce91ad79e987bd809497eb2d52ac2f3bd96cdb289c443b883
Score

10^/10

execution darkvision rat
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

2

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

DarkVision Rat

Darkvision family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2