MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc
SHA3-384 hash: 8a5bbf17295ee000e493be6a84e94801d7d56f48a1cf337a9f882272d4050369e01ed060a6f6f32cf8ca21873c6a7bd0
SHA1 hash: 2f011fcc2525d52a1dff0cff1bf652472ea2e309
MD5 hash: c7364193b982c090d8426630dab87226
humanhash: pip-pip-mountain-connecticut
File name:c7364193b982c090d8426630dab87226
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'460'224 bytes
First seen:2021-07-12 23:20:45 UTC
Last seen:2021-07-12 23:45:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94408c4b2c665863899b7a96fe56aca0 (1 x DarkVNC)
ssdeep 24576:PkOH/N8Ea+OmvrJ/DpejTIlocUGJIniCvnCzHcWNmHHU8sGBd3x:PkOHFJa+Oq1D9mcIFvnsp8xs6x
Threatray 2'492 similar samples on MalwareBazaar
TLSH T1E9652352FBB1C437D4A319B85074C7B03A23B92678B0291E79133A0F5E36196B9F935A
Reporter zbetcheckin
Tags:32 DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7364193b982c090d8426630dab87226
Verdict:
Suspicious activity
Analysis date:
2021-07-12 23:22:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c97815b-cce2-43e5-8687-47ff58b229cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Blackrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171194/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.28903.30994.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29fdb9ed-ea7e-45fa-a974-9ad45b57ae3d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815200
Signature
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447611 Sample: C3eHPktKGb Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for submitted file 2->65 67 Machine Learning detection for sample 2->67 10 C3eHPktKGb.exe 2->10         started        process3 signatures4 79 Detected unpacking (changes PE section rights) 10->79 81 Detected unpacking (overwrites its own PE header) 10->81 83 Contains functionality to inject code into remote processes 10->83 85 Injects a PE file into a foreign processes 10->85 13 C3eHPktKGb.exe 1 10->13         started        process5 file6 47 C:\Users\user\Desktop\C3EHPK~1.EXE.dll, PE32 13->47 dropped 16 rundll32.exe 2 13->16         started        process7 dnsIp8 49 192.236.161.79, 443, 49709, 49723 HOSTWINDSUS United States 16->49 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->59 61 Bypasses PowerShell execution policy 16->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 16->63 20 rundll32.exe 10 25 16->20         started        signatures9 process10 dnsIp11 55 127.0.0.1 unknown unknown 20->55 57 192.168.2.1 unknown unknown 20->57 45 C:\Users\user\AppData\...\tmpD5C6.tmp.ps1, ASCII 20->45 dropped 69 System process connects to network (likely due to code injection or exploit) 20->69 71 Tries to harvest and steal browser information (history, passwords, etc) 20->71 73 Sets a proxy for the internet explorer 20->73 75 Enables a proxy for the internet explorer 20->75 25 powershell.exe 12 20->25         started        28 powershell.exe 17 20->28         started        30 schtasks.exe 1 20->30         started        32 schtasks.exe 1 20->32         started        file12 signatures13 process14 signatures15 77 Uses nslookup.exe to query domains 25->77 34 nslookup.exe 1 25->34         started        37 conhost.exe 25->37         started        39 conhost.exe 28->39         started        41 conhost.exe 30->41         started        43 conhost.exe 32->43         started        process16 dnsIp17 51 localhost 34->51 53 8.8.8.8.in-addr.arpa 34->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc/
Threat name:
Win32.Ransomware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 23:21:06 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2k6mv7liirgm4zh6jer5ay6yn7kheipxeh4bioxhyxcolvlsxoa._file
Verdict:
malicious
Similar samples:
1a7f51c4e1cd935526684521fb7890dde315dfd49b4b681044f8b14c6a7c88a0
DarkVNC
3d577f9e7a6d32391040bbec8556c62750e75625f40f16ef33a27230ac2b1b5d
DarkVNC
549d8c5e666fe53f6f368df5cd76424bca7ae9f8c07684e2ff19be04fb1815d1
DarkVNC
71bef343c030a099a182448091052c9788988251e1e9e3236cb27b53a5bd318f
DarkVNC
7443a98b0d8781ce10c495383c3aecfd6cc0a7f3e6d9c0d9638c8fd5e2f5264e
DarkVNC
7866bb7085d15613e2f12913cad280e17c750dadcecd208e1e11ba5167e4496b
DarkVNC
a35a4b8c7fe3d0282fddf831fdec65a894ae0f9f0266f6824689d9770ddf5458
DarkVNC
aa6206082575919b3b0ea11c5430082a8b6b2251ca4d4aeedfe663ca250fdafb
DarkVNC
c0493b2725b38545cd7b51015335c87e842096b635e2055b6cc30c038d69336f
DarkVNC
f1410c202fcc7ef7a804332fbeb58b5274fd7609a0fbe7e3bae93eed2542b519
DarkVNC
+ 2'482 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210712-t3mpksjx8e/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
c6b6d5d6a84bd1bc9a9abc702d9604553e75fdcb324b6efd03d2e67b2227cce4
MD5 hash:
0d7faa50a4ab8be11dcf58d337493eaf
SHA1 hash:
ddf38434badc8969f560f423516ea95d969467b6
Link:
https://www.unpac.me/results/5ca0107e-8408-4c70-841f-46ce2d2cf081/
SH256 hash:
b0ad25d1ae84a890b5672410fc2ff32fb30ea8f48ff22f89e2a3c199ee09cfdf
MD5 hash:
6eefcb6b9f28b547b918ab9e2426cc18
SHA1 hash:
401410c6cd959c87e763aa811e9c8b77d2183f78
Link:
https://www.unpac.me/results/5ca0107e-8408-4c70-841f-46ce2d2cf081/
SH256 hash:
6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc
MD5 hash:
c7364193b982c090d8426630dab87226
SHA1 hash:
2f011fcc2525d52a1dff0cff1bf652472ea2e309
Link:
https://www.unpac.me/results/5ca0107e-8408-4c70-841f-46ce2d2cf081/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe 6695e657eb4222667327f2491e831ec37ea3910fb90fc0a1d73e2e272eab95dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1448823/
Cape
Cape
https://www.capesandbox.com/analysis/171194/

Comments


Avatar
zbet commented on 2021-07-12 23:20:48 UTC

url : hxxp://192.119.111.216/myfile.exe