Extracted

• • Target

    041b2aedd7ad9d758f0050d0e016b89c4f136081c1f9b442ffc24b3f7afbbf0c.vbs

  • Size

    15KB

  • MD5

    bcb612e1b6c71a2a1abd92a00db83b7e

  • SHA1

    7416472e00f07753fb801e6afad7462a848fa59b

  • SHA256

    041b2aedd7ad9d758f0050d0e016b89c4f136081c1f9b442ffc24b3f7afbbf0c

  • SHA512

    bd45e8daf9aa07dfbb0e0c728635c8cf7f7c8fd85eacc7f989153de8b6c01aed016632f304749a281e8501eadd469f8448e977bb4b69f2aa5498e5259ffa5d4d

  • SSDEEP

    384:Kzo3hl0ageVAsThoswEOelN91UhtDnj6H+Dded:thHlFzwSf/2tzq+Red

  Score

  10^/10

  darkvisionexecutionrat

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision

  • Darkvision family

    darkvision

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral1behavioral2