MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82
SHA3-384 hash: 7449684c4363af13abbdec290d460fc000ae2a96e98cff42c8ee293ecea3673c4695cb0b9e87f8293cf78f84588f9d35
SHA1 hash: 68071fa5a1bb753ef4fe0998dd78616df5359792
MD5 hash: cb3973237fdcf1b38362e0e7efd28609
humanhash: california-minnesota-zulu-wyoming
File name:cb3973237fdcf1b38362e0e7efd28609
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'186'304 bytes
First seen:2021-06-24 22:09:55 UTC
Last seen:2021-06-24 22:46:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 95c98b49c73bee041cc2512ce9afe8b5 (2 x DarkVNC, 2 x RedLineStealer)
ssdeep 24576:LG9z5TTRf7b8XnYM1VOTwyTzxd2dyr/cDJO1mFAqJUd82QoV4qBMN:+Bf7QXn4JTzj2dyrfmFAqJUd8NouqB2
Threatray 2'105 similar samples on MalwareBazaar
TLSH 44450100A6A1D031F5F702F49975E76C6A3A3DF05B6450CB42D1DAEE2A786E9EC32317
Reporter zbetcheckin
Tags:32 DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb3973237fdcf1b38362e0e7efd28609
Verdict:
Malicious activity
Analysis date:
2021-06-24 22:13:26 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/c276acc9-34fc-4647-9cdd-d7cb9c7b7093

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168164/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6590.4510.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df546384-d495-41c0-a0ca-8c44b0bc92d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/807808
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440219 Sample: diBMLR1L0X Startdate: 25/06/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 9 diBMLR1L0X.exe 1 2->9         started        process3 signatures4 54 Detected unpacking (changes PE section rights) 9->54 56 Detected unpacking (overwrites its own PE header) 9->56 12 rundll32.exe 6 9->12         started        process5 dnsIp6 40 66.85.185.120, 443, 49741, 49760 SSASN2US United States 12->40 32 C:\Users\user\Desktop\diBMLR1L0X.exe, data 12->32 dropped 34 C:\ProgramData\Bklngfpngf\kgjocbpkfku.tmp, PE32 12->34 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->58 60 Bypasses PowerShell execution policy 12->60 17 rundll32.exe 10 23 12->17         started        file7 signatures8 process9 dnsIp10 36 127.0.0.1 unknown unknown 17->36 38 192.168.2.1 unknown unknown 17->38 30 C:\Users\user\AppData\...\tmpD8B.tmp.ps1, ASCII 17->30 dropped 46 System process connects to network (likely due to code injection or exploit) 17->46 48 Tries to harvest and steal browser information (history, passwords, etc) 17->48 50 Sets a proxy for the internet explorer 17->50 52 Enables a proxy for the internet explorer 17->52 22 powershell.exe 18 17->22         started        24 powershell.exe 8 17->24         started        file11 signatures12 process13 process14 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 22:10:26 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
05d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
DarkVNC
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
DarkVNC
20acf8e3536debdf0686fc565b0528a0d25672c7360c39602ab6a59629e53308
DarkVNC
2dc2cf646b7c31af83b7e91b3fabcb0c86cefea53aca57ce7e0d52aa943de13c
DarkVNC
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
DarkVNC
4d332053c49f1a46c0594b6769385c42c801c0b20d059e46ff231db47627c048
DarkVNC
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
DarkVNC
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
DarkVNC
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
DarkVNC
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
DarkVNC
+ 2'095 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210624-knmt3mgeqx/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
ca28a199e43898866e4c664350e80e6287f6aac3514e6aeb803fc1a06a9626f1
MD5 hash:
b902a0ec09cc4fedd36fe665a20405cb
SHA1 hash:
be4704dd4b46526221500bd263e66ba41f2a9fba
Link:
https://www.unpac.me/results/92ae8898-20dc-42ee-a6ee-20c390b615e2/
SH256 hash:
5d3c64f00742981ceb434d0f85db63dedab1c58ebea93b498ed46ec7c862da06
MD5 hash:
4261384e383d6724f8426afef65cb071
SHA1 hash:
44540714b84508ca447fcf22944005c9bdcb27e4
Link:
https://www.unpac.me/results/92ae8898-20dc-42ee-a6ee-20c390b615e2/
SH256 hash:
1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82
MD5 hash:
cb3973237fdcf1b38362e0e7efd28609
SHA1 hash:
68071fa5a1bb753ef4fe0998dd78616df5359792
Link:
https://www.unpac.me/results/92ae8898-20dc-42ee-a6ee-20c390b615e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe 1d568e94ad5917ac5ab0f5552f195daa925aa6ec5719eeddefee0483db5e7b82

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168164/
  
URLhaus
https://urlhaus.abuse.ch/url/1395933/

Comments