darkvision | 0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47 | Triage

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 05:17

Sharing

Report Analysis Logs

General

Target

STUB.exe
Size

276KB
MD5

a5772b2f2d542f4b9c8b470ffc6dc8aa
SHA1

1b06cc73448b6ac1cbd9a65d3a7272f498f0d7d6
SHA256

0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47
SHA512

5e67d9cc0fda9f87d3b7ea0fd39d9d5130d3b2cd4f0c40a7b2aefe347c7b070f262bb43cb5477c26d01050fedaaa01c9cfa39c64ef3bdd18f6b892a7e8d8503e
SSDEEP

3072:rrDyh1bdjkWxF/1PVg88WRhgEr1yNhT2xE/3MW7o4+W95nBkBPV5Epr1R:uhhJDFgX3Er8PTAE/3JR52Va

Score

10^/10

darkvision rat

Malware Config

Extracted

Family

darkvision

C2

147.185.221.24

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Executes dropped EXE 1 IoCs

pid	Process
3736	admin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3844	STUB.exe
3844	STUB.exe
3844	STUB.exe
3844	STUB.exe
3736	admin.exe
3736	admin.exe
3736	admin.exe
3736	admin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	STUB.exe
Token: SeDebugPrivilege	3736	admin.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3736	3844	STUB.exe	82
PID 3844 wrote to memory of 3736	3844	STUB.exe	82

C:\Users\Admin\AppData\Local\Temp\STUB.exe
"C:\Users\Admin\AppData\Local\Temp\STUB.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\ProgramData\Server\admin.exe
  "C:\ProgramData\Server\admin.exe" {8CD74CEB-EB0C-4B9F-AB18-236234CBF3C0}
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Server\admin.exe

Filesize
276KB

MD5
a5772b2f2d542f4b9c8b470ffc6dc8aa

SHA1
1b06cc73448b6ac1cbd9a65d3a7272f498f0d7d6

SHA256
0f08beb8660353d377f2ea2ff01264d8c64a7eeb01f29fe91711ab02ead13e47

SHA512
5e67d9cc0fda9f87d3b7ea0fd39d9d5130d3b2cd4f0c40a7b2aefe347c7b070f262bb43cb5477c26d01050fedaaa01c9cfa39c64ef3bdd18f6b892a7e8d8503e

Download Submit