MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d
SHA3-384 hash: 5c008315cf3b7e84ce916a35256d49260dde98e0fa89d690598edb923f7aca1e4f95edb1d64ada8f19a1084e10014734
SHA1 hash: eb3fdc1336aca54f334bb0c5ce7769c16a282832
MD5 hash: eb5c2dd7765958218d7251352fe33459
humanhash: high-autumn-july-ten
File name:eb5c2dd7765958218d7251352fe33459.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'019'392 bytes
First seen:2021-07-06 16:16:41 UTC
Last seen:2021-07-06 17:18:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f83e5878c6074b58556b8acda89e40d (1 x DarkVNC)
ssdeep 24576:ekXucBQWIZkVhHw51HQSr70PW2ZUufizXiXbK2x:YcAkhH6Hb7RuK6bKi
Threatray 2'414 similar samples on MalwareBazaar
TLSH A22523113670CE36C6D698301832C6A0667BBC7256379547BA793F6B8D332C1AAF5F12
Reporter abuse_ch
Tags:DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eb5c2dd7765958218d7251352fe33459.exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 16:23:32 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/76f6ca44-5937-4220-ba4b-1a5ff5d84c70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170038/
Detection(s):
SecuriteInfo.com.Variant.Zusy.391608.15403.27657.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41169c9b-57c1-4f51-9f4c-8f3bb91daf8b
Result
Threat name:
DarkVNC
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812453
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DarkVNC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444867 Sample: MrjiuGgBjm.exe Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected DarkVNC 2->47 49 Machine Learning detection for sample 2->49 9 MrjiuGgBjm.exe 1 2->9         started        process3 file4 35 C:\Users\user\Desktop\MRJIUG~1.EXE.tmp, PE32 9->35 dropped 59 Detected unpacking (changes PE section rights) 9->59 61 Detected unpacking (overwrites its own PE header) 9->61 13 rundll32.exe 6 9->13         started        signatures5 process6 dnsIp7 43 152.89.247.184, 443, 49722, 49728 COMBAHTONcombahtonGmbHDE Germany 13->43 37 C:\ProgramData\Bklngfpngf\kgjocbpkfku.tmp, PE32 13->37 dropped 39 C:\Users\user\Desktop\MrjiuGgBjm.exe, data 13->39 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->63 65 Bypasses PowerShell execution policy 13->65 18 rundll32.exe 10 23 13->18         started        file8 signatures9 process10 dnsIp11 41 127.0.0.1 unknown unknown 18->41 31 C:\Users\user\AppData\...\tmpB008.tmp.ps1, ASCII 18->31 dropped 33 C:\ProgramData\Bklngfpngf\Vhxwcgzi.tmp, DOS 18->33 dropped 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Tries to harvest and steal browser information (history, passwords, etc) 18->53 55 Sets a proxy for the internet explorer 18->55 57 Enables a proxy for the internet explorer 18->57 23 powershell.exe 17 18->23         started        25 powershell.exe 5 18->25         started        file12 signatures13 process14 process15 27 conhost.exe 23->27         started        29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 16:17:10 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0740efa5efb442cfaf311a0cc7ba1e0d6ae7488dc4e61e113cf67e0ac2138e66
DarkVNC
2c05cd58376851b90256c6131497d81a57a22a47d62cfd54882f91766cb2d59e
DarkVNC
6d4e6d54d7fb566e6887ce79f7d65c151b3092260cc7fef21dc60d46a265b4ff
DarkVNC
847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255
DarkVNC
90ef0dacd3f993a784a8f2d884e065704920db45a5abe639f714306b89a2eef8
DarkVNC
9d447a43433856a44289ddd51036a5f7f540c6af981b497b8605638beed2bf5b
DarkVNC
9edc8848e696b6b61cec52ea4d298f22d4475286ed89cf153816ed262f822fdb
DarkVNC
ab7e6dc61621c75a72207bad8a4f3bb1f0a9f1feb515cc1cd3be01009133fc48
DarkVNC
d24b2f6e96fa1b2bb20b19e3b70757887a3f4934d035fde4efdbdd5b9e845df9
DarkVNC
d7199616185a4d6187eb375c778dd4e5327df6a5e51018770addb54705732d88
DarkVNC
+ 2'404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210706-xkvkpww7jx/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
fca899c8596ee535d812184571df964a85f3133399095c25e2f25cf0545bd785
MD5 hash:
a14d77176912f230f9b68220dabfa88f
SHA1 hash:
0f9faaaa215b5a076591e254f5f815cddc2f8569
Link:
https://www.unpac.me/results/9065c028-5bc0-4bed-9551-2b9bdc0fd5b1/
SH256 hash:
4cd185b58bbeda58d366d98ddc6c8da04cc0fd44d97fe04f73b086547ffe228c
MD5 hash:
f9a8b6f49c0ab804c4d62a179158a18e
SHA1 hash:
da634b2290cef4b574525d5b4963ca1d54024f28
Link:
https://www.unpac.me/results/9065c028-5bc0-4bed-9551-2b9bdc0fd5b1/
SH256 hash:
4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d
MD5 hash:
eb5c2dd7765958218d7251352fe33459
SHA1 hash:
eb3fdc1336aca54f334bb0c5ce7769c16a282832
Link:
https://www.unpac.me/results/9065c028-5bc0-4bed-9551-2b9bdc0fd5b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe 4501a9320cfdb2c126e21510b32e9ccead1175a14f5b08197763dc9e356dc91d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1430297/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1430392/
  
URLhaus
https://urlhaus.abuse.ch/url/1407122/
Cape
Cape
https://www.capesandbox.com/analysis/170038/

Comments