MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac
SHA3-384 hash: 20ea2d1db09ece34aa1da3ef1661e2f8e14ab280b141ed93581c5da304f694596634ab6e4c82205219f1a2569d66869a
SHA1 hash: ffcde3a96670552d239d547b4c3f44aa77c0fdb7
MD5 hash: 16493223940cd99199a672e44dec05d6
humanhash: jupiter-alaska-six-grey
File name:idu9A98.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:2'142'720 bytes
First seen:2021-06-29 02:22:29 UTC
Last seen:2021-06-29 03:22:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67f1f64a3db0d22bf48121a6cea1da22 (1 x DarkVNC)
ssdeep 24576:m92KPqd9u0yepqI5DpBa4w3JhGdvpJhHmAc+dYTTRKwUvC5YYGayq1FOXTK8HidV:s2fyepz5DpLwnaxbc1t4iCaDvkKpdV
Threatray 42 similar samples on MalwareBazaar
TLSH 3FA5CE13FAC2A4B2E8E5107163BB5BF69E3C66114328D4DBF2C818761E341E2763E795
Reporter malware_traffic
Tags:DarkVNC exe vnc

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
idu9A98.exe
Verdict:
No threats detected
Analysis date:
2021-06-28 22:12:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f800b4d2-1ff9-49f2-99e9-8cd5f148fb96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19992.11552.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gootkit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6022879d-0c6d-4ee3-84c3-3b9bae3de0e6
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809045
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac/
Threat name:
Win32.Backdoor.DarkVnc
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 01:03:47 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pocezr27lfhvg32inmjxqf5es5ahw2exewvulr4qircoqi3u2swa._file
Verdict:
suspicious
Similar samples:
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
DarkVNC
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
DarkVNC
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
DarkVNC
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
DarkVNC
6dabb536b810b343e17374dc7762923dbdc99ac5c0ce65222c2977d0c5a5a9a5
DarkVNC
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
DarkVNC
7af5e71f56d7a9a55935cc6bd430e0aaba8b998327a46326c2b030de332d3f6b
DarkVNC
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
DarkVNC
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
DarkVNC
f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184
DarkVNC
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210629-y2vbt41hf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
91615b0754c8c2839364a60f54b4442e8afc55fb7edb34f765fef76256fb28a9
MD5 hash:
ab3fe8c53ee7d1944be3501bc6916744
SHA1 hash:
cfbadc1ad71c7218ca6eceff2c5da7761dd545f2
Link:
https://www.unpac.me/results/4b40c165-a8ff-44d2-9414-90ce66728f60/
SH256 hash:
ce94b9ad01fbbda47ab74a3f62c49c87ad8b65f8953ee7c03914159b711a6fa8
MD5 hash:
7d7f96e388f6ae90687e68b4984a020e
SHA1 hash:
14732bea022818b80591e56a4d3abd10c2b40464
Link:
https://www.unpac.me/results/4b40c165-a8ff-44d2-9414-90ce66728f60/
SH256 hash:
7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac
MD5 hash:
16493223940cd99199a672e44dec05d6
SHA1 hash:
ffcde3a96670552d239d547b4c3f44aa77c0fdb7
Link:
https://www.unpac.me/results/4b40c165-a8ff-44d2-9414-90ce66728f60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
Brad commented on 2021-06-29 02:23:24 UTC

Reference: https://twitter.com/malware_traffic/status/1409664178357379075