Extracted

• • Target

    UZPt0hR.exe

  • Size

    1.2MB

  • MD5

    bf6f64455cb1039947a3100e62f96a52

  • SHA1

    28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

  • SHA256

    c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

  • SHA512

    c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

  • SSDEEP

    24576:dgnEunWewizz3Q/Nngwxx8T2d920PIGkbQjI/zC5rrpoJNlyZ4:+nEunFxz7Q/Nngp47AGkboF0l

  Score

  10^/10

  darkvisionbootkitdefense_evasiondiscoveryexecutionpersistencerat

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision

  • Darkvision family

    darkvision

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1