MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057
SHA3-384 hash: 94313f7bea3b6c051ad39118b12435ec73a292cd2501ef1f436577683e1a2fa86e2699e53050019971e3f7a382a54bb3
SHA1 hash: 41069a780c8ad6010d0cc31b8eb722f416ce208c
MD5 hash: 26f9ce8936f12944a0bbd3e8758cba01
humanhash: finch-sink-lactose-sad
File name:SecuriteInfo.com.Trojan.Win32.Save.a.31095.2421
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'186'304 bytes
First seen:2021-06-25 01:34:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95c98b49c73bee041cc2512ce9afe8b5 (2 x DarkVNC, 2 x RedLineStealer)
ssdeep 24576:QZ9OL2Btwign8EZizHwmO9Rlg7CVliOI3oNiR23VLYl87LHgCQObj:VcwIzQ1zgoMOaoNigVLK87LHgCQAj
Threatray 2'220 similar samples on MalwareBazaar
TLSH 54450200A6A1D031F5FB12F89975D2AC6A3D3AF09B6051CF12D5DAEE5634AD2EC32317
Reporter SecuriteInfoCom
Tags:DarkVNC exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.31095.2421
Verdict:
Malicious activity
Analysis date:
2021-06-25 01:38:00 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/fd5b171b-47ce-42ee-be5d-4af2acd5e0fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168191/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31095.2421.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdf5258c-97fe-45e4-83c5-e69480578286
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/807854
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440265 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 25/06/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 9 SecuriteInfo.com.Trojan.Win32.Save.a.31095.exe 1 2->9         started        process3 signatures4 54 Detected unpacking (changes PE section rights) 9->54 56 Detected unpacking (overwrites its own PE header) 9->56 12 rundll32.exe 6 9->12         started        process5 dnsIp6 40 66.85.185.120, 443, 49723, 49742 SSASN2US United States 12->40 32 SecuriteInfo.com.T...32.Save.a.31095.exe, data 12->32 dropped 34 C:\ProgramData\Bklngfpngf\kgjocbpkfku.tmp, PE32 12->34 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->58 60 Bypasses PowerShell execution policy 12->60 17 rundll32.exe 10 23 12->17         started        file7 signatures8 process9 dnsIp10 36 127.0.0.1 unknown unknown 17->36 38 192.168.2.1 unknown unknown 17->38 30 C:\Users\user\AppData\...\tmp28B.tmp.ps1, ASCII 17->30 dropped 46 System process connects to network (likely due to code injection or exploit) 17->46 48 Tries to harvest and steal browser information (history, passwords, etc) 17->48 50 Sets a proxy for the internet explorer 17->50 52 Enables a proxy for the internet explorer 17->52 22 powershell.exe 18 17->22         started        24 powershell.exe 5 17->24         started        file11 signatures12 process13 process14 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 01:07:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82
DarkVNC
3d577f9e7a6d32391040bbec8556c62750e75625f40f16ef33a27230ac2b1b5d
DarkVNC
71bef343c030a099a182448091052c9788988251e1e9e3236cb27b53a5bd318f
DarkVNC
7866bb7085d15613e2f12913cad280e17c750dadcecd208e1e11ba5167e4496b
DarkVNC
972b6465a8dd0ff9e1ec5354c9b6d028f71b0505dcd3388f5edf9976071708c2
DarkVNC
a35a4b8c7fe3d0282fddf831fdec65a894ae0f9f0266f6824689d9770ddf5458
DarkVNC
a6f23f333a1c8eab33961660887f4ebb84f12451db4d8f94c1c01fe5dca71ae8
DarkVNC
d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232
DarkVNC
d7199616185a4d6187eb375c778dd4e5327df6a5e51018770addb54705732d88
DarkVNC
f1410c202fcc7ef7a804332fbeb58b5274fd7609a0fbe7e3bae93eed2542b519
DarkVNC
+ 2'210 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210625-11lam1x2ka/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
2e9d834c850b4e7b485c79c1e9ead46c3691796bf1732be62561a80483232891
MD5 hash:
3565ebf264f61e0870f81bdc0bcbac2e
SHA1 hash:
003ddac7c5e646369bd039490f7638591a8f5451
Link:
https://www.unpac.me/results/06b21761-4194-4cbb-b87e-1dc6102f5fa3/
SH256 hash:
ca28a199e43898866e4c664350e80e6287f6aac3514e6aeb803fc1a06a9626f1
MD5 hash:
b902a0ec09cc4fedd36fe665a20405cb
SHA1 hash:
be4704dd4b46526221500bd263e66ba41f2a9fba
Link:
https://www.unpac.me/results/06b21761-4194-4cbb-b87e-1dc6102f5fa3/
SH256 hash:
00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057
MD5 hash:
26f9ce8936f12944a0bbd3e8758cba01
SHA1 hash:
41069a780c8ad6010d0cc31b8eb722f416ce208c
Link:
https://www.unpac.me/results/06b21761-4194-4cbb-b87e-1dc6102f5fa3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe 00028abdb20a478f15791b39f7f2179b0b75ebcd8fee2d6032a9475252251057

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/168191/
  
URLhaus
https://urlhaus.abuse.ch/url/1395933/
  
Delivery method
Distributed via web download

Comments