MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
SHA3-384 hash: 2db8d29c0a3fe3ec0261cfe620de98af6fad6e28ed4d17a3a3044013c4f37d3c354b1970a8b9c5a88e5533ea47786f83
SHA1 hash: 17291f5b80496efc656a489c340d8856eec27ee3
MD5 hash: 1ca90b66b79df8576c3d35bfad0f33fa
humanhash: uranus-speaker-pluto-neptune
File name:lv.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'503'429 bytes
First seen:2021-07-05 10:24:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:TF4yHFRfgqfLT1ZLirRroKDC+4qyRih9wgho0qCGyvZwiP5dYMCvOX9a8KN:JhHFJPfP1ZLuBoAYRmbqAthqN
Threatray 325 similar samples on MalwareBazaar
TLSH BC65330D4A424AB2E1607BB30577C5AD46F3F0592835E53ABB900F9C71B156F8B98B3B
Reporter CholeVallabh
Tags:DarkVNC exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
610fe925494bd7f87858672c17f7d917.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 09:43:04 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/2cc8a873-6591-46c1-8586-f123c52b1ec5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169722/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8806a782-3b97-48e0-8855-ea747c701ef3
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811809
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444220 Sample: lv.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 8 other signatures 2->85 11 lv.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 55 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->59 dropped 61 3 other files (none is malicious) 11->61 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 dnsIp6 24 cmd.exe 1 18->24         started        65 192.168.2.1 unknown unknown 20->65 51 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->51 dropped 27 SmartClock.exe 20->27         started        file7 process8 signatures9 89 Submitted sample is a known malware sample 24->89 91 Obfuscated command line found 24->91 93 Uses ping.exe to sleep 24->93 95 Uses ping.exe to check the status of other devices and networks 24->95 29 cmd.exe 3 24->29         started        32 conhost.exe 24->32         started        process10 signatures11 97 Obfuscated command line found 29->97 99 Uses ping.exe to sleep 29->99 34 Viscere.exe.com 29->34         started        37 PING.EXE 1 29->37         started        40 findstr.exe 1 29->40         started        process12 dnsIp13 87 May check the online IP address of the machine 34->87 43 Viscere.exe.com 3 19 34->43         started        67 127.0.0.1 unknown unknown 37->67 53 C:\Users\user\AppData\...\Viscere.exe.com, Targa 40->53 dropped file14 signatures15 process16 dnsIp17 69 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 43->69 71 lkjDaQipBFIwqjSQiKtVGjMrK.lkjDaQipBFIwqjSQiKtVGjMrK 43->71 63 C:\Users\user\AppData\Local\...\pikyxoixc.vbs, ASCII 43->63 dropped 47 wscript.exe 12 43->47         started        file18 process19 dnsIp20 73 iplogger.org 88.99.66.31, 443, 49727 HETZNER-ASDE Germany 47->73 75 System process connects to network (likely due to code injection or exploit) 47->75 77 May check the online IP address of the machine 47->77 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 10:25:14 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lluctlyzmizzjpxn24j6k4rd6i7uqrrrsxvt74bfdpuq2wqy7h4q._file
Verdict:
malicious
Similar samples:
0ffa9641556c11890735aba122f4ebf94370fb4aab8c613f5025df7559214f51
DarkVNC
2051871e886545205d446040cb61122e14c743d3a4b295b0c04999d18069b271
DarkVNC
3666dd8e3ce14a3b7273c405f7318402f3c2d203104966f326c3d93ee0d0570a
DarkVNC
65ab84623b8caddbaf3e6819675b14f4e66da969cf580c46d1e559deb03bd89a
DarkVNC
6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60
DarkVNC
aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824
DarkVNC
b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
DarkVNC
bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45
DarkVNC
d6a4310eacb4ab4761b1504fcbe6d5e0da6c6b04563897b527a0de0acca9e83d
DarkVNC
f3ecb43d480674a1e114dc06755c100d5319449b83a85e4d6519c75fefe3cc6f
DarkVNC
+ 315 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210705-z3nqse89c6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/6d06f4b8-e034-4694-818a-18e47beb2b5f/
SH256 hash:
5438d0b195a4c1eaf0136b4473de4e1cc8f6a3560b72143f0057deeed847f7db
MD5 hash:
a55e2cf5cec3e3edaf84c4f47362f1ce
SHA1 hash:
a5362594ffb49ab67de053796298a8a303e216f3
Link:
https://www.unpac.me/results/6d06f4b8-e034-4694-818a-18e47beb2b5f/
SH256 hash:
4c961490ec568ea86085a80db556b915d1b9cdbc68a533731cb4cf6778b0e22e
MD5 hash:
3809df8c82bad531a363fa0e62440ea3
SHA1 hash:
be4a5c28a88c4efca519f552b5048173960bd1c8
Link:
https://www.unpac.me/results/6d06f4b8-e034-4694-818a-18e47beb2b5f/
SH256 hash:
5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
MD5 hash:
1ca90b66b79df8576c3d35bfad0f33fa
SHA1 hash:
17291f5b80496efc656a489c340d8856eec27ee3
Link:
https://www.unpac.me/results/6d06f4b8-e034-4694-818a-18e47beb2b5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169722/

Comments