MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
SHA3-384 hash: 5801bebed35886f745ed1c011b83b0d55d63ea87b943d80c3a9327c55a691ce5ab4fd91f551acc575d33be9d541dc10c
SHA1 hash: 8e90dc300bb91dd6ce57566116b156e3473cf646
MD5 hash: 18c3793f2df5ae48b55a9a1825b1c1fb
humanhash: maine-uniform-jupiter-lion
File name:idu567.tmp
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'701'376 bytes
First seen:2021-06-30 19:47:46 UTC
Last seen:2021-06-30 20:54:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash be0a2d959e20c7f06e996a3dfae0d06d (1 x DarkVNC)
ssdeep 24576:L3G8qqDn4HT28T14a5EhXn6LLdHr/CLn+/nfwoeCOUgFqmRCka/2qp5e+l8U3h:iiYTtwaLdHryn+ZRg5rqJ3
Threatray 53 similar samples on MalwareBazaar
TLSH CA75AD143759FD25C2E6A2364F65E4E11B0934682B7440DF38F87FAF2FAD4A35A68306
Reporter malware_traffic
Tags:DarkVNC dll vnc

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15022.11346.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d91890ae-1435-4ef0-a0b9-575dc9d75cad
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/810195
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Found evasive API chain (may stop execution after checking mutex)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442606 Sample: idu567.tmp Startdate: 30/06/2021 Architecture: WINDOWS Score: 92 36 Malicious sample detected (through community Yara rule) 2->36 38 Yara detected Ramnit VNC Module 2->38 40 Contains VNC / remote desktop functionality (version string found) 2->40 42 Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Modifies the context of a thread in another process (thread injection) 8->62 64 Maps a DLL or memory area into another process 8->64 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 66 Contains functionality to inject threads in other processes 11->66 68 Writes to foreign memory regions 11->68 70 Allocates memory in foreign processes 11->70 20 WerFault.exe 11->20         started        24 rundll32.exe 14->24         started        72 Modifies the context of a thread in another process (thread injection) 16->72 74 Maps a DLL or memory area into another process 16->74 26 WerFault.exe 16->26         started        28 WerFault.exe 18->28         started        30 WerFault.exe 18->30         started        process7 dnsIp8 34 172.241.27.226, 443, 49724, 49725 LEASEWEB-USA-DAL-10US United States 20->34 44 Found evasive API chain (may stop execution after checking mutex) 20->44 46 Contains functionality to inject threads in other processes 20->46 48 Searches for specific processes (likely to inject) 20->48 50 Writes to foreign memory regions 24->50 52 Allocates memory in foreign processes 24->52 54 Modifies the context of a thread in another process (thread injection) 24->54 56 Maps a DLL or memory area into another process 24->56 32 WerFault.exe 24->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c/
Threat name:
Win32.Trojan.Carberp
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 19:48:10 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iprvvikinmwnkerxkihldmfqf62g6dz3cnlcfztloq4gqrbjiqoa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
DarkVNC
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
DarkVNC
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
DarkVNC
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
DarkVNC
6dabb536b810b343e17374dc7762923dbdc99ac5c0ce65222c2977d0c5a5a9a5
DarkVNC
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
DarkVNC
7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac
DarkVNC
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
DarkVNC
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
DarkVNC
f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184
DarkVNC
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210630-v7fjlnlq2j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
MD5 hash:
18c3793f2df5ae48b55a9a1825b1c1fb
SHA1 hash:
8e90dc300bb91dd6ce57566116b156e3473cf646
Link:
https://www.unpac.me/results/01c1be81-c499-43d9-b3c5-b24d29aeeb1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments