MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
SHA3-384 hash: a3294ee21c76a7944820dd6f22cdded93826bab296b6321f3dfce9402bf9b5c48bfec1f56c1a7c0db92a7daed8d05cd2
SHA1 hash: c6c565f217187954e112b023eccb2e8590873d73
MD5 hash: a9d08d19c0e5dffe3bf3726748a1f531
humanhash: winner-uncle-nine-snake
File name:4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
Download: download sample
Signature DarkVNC
Create hunting rule
File size:479'232 bytes
First seen:2021-01-14 18:56:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3d0140f531df8431a486e102f841c61f (1 x DarkVNC)
ssdeep 12288:b+3FoKdzma9gOvqM00Nng+Q0CMAGQ5ax:CVoKzmwNnXQ0CB4
Threatray 46 similar samples on MalwareBazaar
TLSH CCA4F141C69671EEE5EE15F8517E31AAC411072E0330EEE37B6819F6EC35DE4AD38246
Reporter Anonymous
Tags:DarkVNC

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112019/
Detection(s):
SecuriteInfo.com.Variant.Bulz.209204.2245.25309.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581664
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Writes to foreign memory regions
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975/
Threat name:
Win32.Backdoor.DarkVnc
Create hunting rule
Status:
Malicious
First seen:
2021-01-11 01:06:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpnl6ztvkxrx2s7vv7olhnbtdrufohfhta2azp3phmwca24ebf2q._file
Verdict:
suspicious
Similar samples:
07fd393e36e2519dda8edff80b6c629347586a628d70103d0cb425ba5c6cd0b9
DarkVNC
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
DarkVNC
3785550afcc22a9c9cc82c4f6515f77eb9cc0984966aeb238d57e1ea3cb9d351
DarkVNC
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
DarkVNC
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
DarkVNC
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
DarkVNC
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
DarkVNC
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
DarkVNC
f22462a16e1e5b3eed3a84c6003aef25eb4ccdd78cb7064fdb39404528f3b9f0
DarkVNC
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
DarkVNC
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-ll3tkws3cj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
MD5 hash:
a9d08d19c0e5dffe3bf3726748a1f531
SHA1 hash:
c6c565f217187954e112b023eccb2e8590873d73
Link:
https://www.unpac.me/results/7c057869-0047-4649-be88-50fff0869bcb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_DarkVNC
Create hunting rule
Author:abuse.ch
Description:Detects DarkVNC
Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/112019/

Comments