darkvision | 7fcc3d8b51097943139c0172835f9a4b150ebeedb815243dfcd6c240c81a3b1e | Triage

Sharing

General

Target

InquiryDocument.z
Size

1.3MB
Sample

250228-nw2hjsyvew
MD5

ace368219c4115e2217602ec9343ab1f
SHA1

790b23cfd6e94b7875c6f5c72eb235899f1cddd4
SHA256

7fcc3d8b51097943139c0172835f9a4b150ebeedb815243dfcd6c240c81a3b1e
SHA512

305c9cda42ecfb8a930ec866563c92c0fd04e5a55b7ed4e8f891d56b11c3b96af2654388c1911718671bd3c981953f515271fe164d85237fcdeadb3657bc1856
SSDEEP

24576:E/Qs0qxVCihuU8JrdgboAhaCjaYEE/GX/qcU2eVEPrdaebjOA:EYs08Vx98JCk0eLE/tcU2uoaeT

Score

10^/10

darkvision execution rat

Malware Config

Extracted

Family

darkvision

C2

acuweld.ddns.net

Targets

- Target
  
  InquiryDocument.exe
- Size
  
  1.6MB
- MD5
  
  259bb04751cadc3d34e272a9ca526703
- SHA1
  
  b95e94b9aa33de3ef616a15f3bdb85df57aeba9d
- SHA256
  
  57de9cffa15a62f5ed864bb9969eb6fc1e534ac6fe00cfb32e33bf6d7f6d9457
- SHA512
  
  cee486ae6ad3a28d5f96f40eeb9bb063a71f60d9cf171b2c08001c404d7984e1152b4f8377019ea80cb5c4acbdb34aa1f9242436a07d11647ec88aaf262e168d
- SSDEEP
  
  49152:BaescpQuDPi0f0gOqgWs1SmC6uqlxlb1y:BaS0g9qI9Tqrlb1
Score

10^/10

darkvision execution rat
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkvisionexecutionrat