Extracted

• • Target

    PO202503D.xlsm

  • Size

    36KB

  • MD5

    7928d4da38767e17b693dc1c3b12376b

  • SHA1

    b357c6211bbf9b463553d5137aac957fbd9b0868

  • SHA256

    525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51

  • SHA512

    a3820c8bf86d3b29c781e28504e745d15e100a1e962c39f9f9d9185461f67233ef211c52b01c389b34fcc66876b22e22c122989c6a93ce885c3599f4650842ee

  • SSDEEP

    768:hSfin4o5bHOKLIsbWyi14m1xMeJodBTFRiARLVgqKM2kqioUuV2SB:hSfiNbLRbjcBJo9RiCf3qiXuZ

  Score

  10^/10

  discoveryexecutionpersistencedarkvisionrat

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision

  • Darkvision family

    darkvision

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2