darkvision | dc467b57f0ac29a0ee0e1ed3c0e551c614f3c5e8b6a7c60c2e1c7e93a83f8d0d | Triage

Sharing

General

Target

dc467b57f0ac29a0ee0e1ed3c0e551c614f3c5e8b6a7c60c2e1c7e93a83f8d0d.exe
Size

225KB
Sample

250410-xyamaazzd1
MD5

b064c5c39eff3fb294144ed8a93966ea
SHA1

8a2686a5e8b1876c17e41bb3ee15477473fd567e
SHA256

dc467b57f0ac29a0ee0e1ed3c0e551c614f3c5e8b6a7c60c2e1c7e93a83f8d0d
SHA512

7c8b59d8e9b9cae517f7b342eec504f8276fe0515fc9148df9f48d4f353cdb9b895196c8734c0e212c27bc9f4d11b3bd9202d4ebf50d472dffdb9082fa3e1a2e
SSDEEP

3072:Ms1WvJ6f79wMK4+2GimcVRe+DvDDrhojDRmcldCKcW4OVWhMO:McWvS2MKdilBTDqj0kCk4Oy

Score

10^/10

darkvision execution rat

Malware Config

Extracted

Family

darkvision

C2

toolsdns.ddns.net

Targets

- Target
  
  dc467b57f0ac29a0ee0e1ed3c0e551c614f3c5e8b6a7c60c2e1c7e93a83f8d0d.exe
- Size
  
  225KB
- MD5
  
  b064c5c39eff3fb294144ed8a93966ea
- SHA1
  
  8a2686a5e8b1876c17e41bb3ee15477473fd567e
- SHA256
  
  dc467b57f0ac29a0ee0e1ed3c0e551c614f3c5e8b6a7c60c2e1c7e93a83f8d0d
- SHA512
  
  7c8b59d8e9b9cae517f7b342eec504f8276fe0515fc9148df9f48d4f353cdb9b895196c8734c0e212c27bc9f4d11b3bd9202d4ebf50d472dffdb9082fa3e1a2e
- SSDEEP
  
  3072:Ms1WvJ6f79wMK4+2GimcVRe+DvDDrhojDRmcldCKcW4OVWhMO:McWvS2MKdilBTDqj0kCk4Oy
Score

10^/10

darkvision execution rat
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkvisionexecutionrat