darkvision | hxxps://bazaar[.]abuse[.]ch/browse/

Resubmissions

20/04/2025, 02:24

250420-cvxmestkz9 4

19/04/2025, 20:30

250419-zaay9at1ay 10

Sharing

Copy URL

Twitter E-mail

General

Target

https://bazaar.abuse.ch/browse/
Sample

250419-zaay9at1ay

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.alnozha-qa.com
Port:
587
Username:
[email protected]
Password:
info123456789

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

valleyrat_s2

Version

1.0

45.204.201.140:6666

Attributes

campaign_date
2025. 3.14

Extracted

Family

stealc

Botnet

suka

45.93.20.28

Attributes

url_path
/3d15e67552d448ff.php

rc4.plain

Extracted

Family

lumma

https://clarmodq.top/qoxo

https://piratetwrath.run/ytus

https://ychangeaie.top/geps

https://quilltayle.live/gksi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://ekzestmodp.top/zeda

https://starofliught.top/wozd

https://meerkaty.digital/sagf

https://changeaie.top/geps

https://ssalaccgfa.top/gsooz

https://zestmodp.top/zeda

https://jawdedmirror.run/ewqd

https://lonfgshadow.live/xawi

https://3liftally.top/xasj

https://.nighetwhisper.top/lekd

https://owlflright.digital/qopy

https://nchangeaie.top/geps

https://7salaccgfa.top/gsooz

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.alnozha-qa.com
Port:
587
Username:
[email protected]
Password:
info123456789
Email To:
[email protected]

Targets

- Target
  
  https://bazaar.abuse.ch/browse/
Score

10^/10

darkvision gcleaner healer lumma rhadamanthys stealc valleyrat_s2 vipkeylogger suka backdoor bootkit collection credential_access defense_evasion discovery dropper execution keylogger loader persistence privilege_escalation pyinstaller rat spyware stealer upx
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Detects Healer an antivirus disabler dropper
- Detects Rhadamanthys payload
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Healer family
  healer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- ValleyRat
  ValleyRat stage2 is a backdoor written in C++.
  backdoor valleyrat_s2
- Valleyrat_s2 family
  valleyrat_s2
- Vipkeylogger family
  vipkeylogger
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1