MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557
SHA3-384 hash: 77f1b8fae03c247a4df7682b8d7e6417edbe4953a39aa1186d575e2c0b2763c821836834339651e797ba310f7661f610
SHA1 hash: 0ad1ee02f1b75980c12c523e5883261220d8fced
MD5 hash: b30e8dc3f6759f369969d056e3e5036d
humanhash: summer-fruit-massachusetts-sierra
File name:vt-upload-i9ydy
Download: download sample
Signature DarkVNC
Create hunting rule
File size:266'144 bytes
First seen:2022-11-02 02:03:18 UTC
Last seen:2022-11-02 03:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d177463b4677a0cf01c9a9340a668b6b (1 x DarkVNC)
ssdeep 6144:rfzOFbdiOizOEuDjLXBT4xl1XskhA+s9TBHzKYvGaan:LzeRGEXLRT4xphA+s9TtdHan
Threatray 46 similar samples on MalwareBazaar
TLSH T15C447D55B3E50DA2EDA3853DC9939B16D7F274161360C74F42A08A5A9F2B3A3763C332
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter malware_traffic
Tags:DarkVNC dll exe


Avatar
malware_traffic
DarkVNC sample originally submitted to VirusTotal on 2013-04-03.

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vt-upload-i9ydy
Verdict:
No threats detected
Analysis date:
2022-11-02 02:04:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce216e34-5791-4e69-b51e-458e77c11bd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326938/
Detection(s):
SecuriteInfo.com.Variant.Ursu.520945.22255.26586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47301/overview
Behaviour
MalwareBazaar
SystemUptime
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
banker carberp
Link:
https://www.filescan.io/uploads/6361d01358409ff7bc0c7f7f/reports/59a636f9-e257-4063-a7e8-b0948ca1a01b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/726fa017-25c8-44ee-ad49-02ec56292a1f
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1102909
Signature
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735569 Sample: vt-upload-i9ydy.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 76 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Ramnit VNC Module 2->39 41 2 other signatures 2->41 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 5 other processes 8->17 signatures5 43 Opens the same file many times (likely Sandbox evasion) 10->43 19 rundll32.exe 13->19         started        21 WerFault.exe 9 15->21         started        24 WerFault.exe 9 17->24         started        process6 file7 26 WerFault.exe 20 9 19->26         started        29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->31 dropped process8 file9 33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 26->33 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557/
Threat name:
Win64.Trojan.Carberp
Create hunting rule
Status:
Malicious
First seen:
2013-04-08 04:15:00 UTC
AV detection:
12 of 25 (48.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qenkypcbs6bisdk5qoqui3ioaro7zgtk5pp62dqvd6v4ybi74vlq._file
Verdict:
malicious
Similar samples:
1c08cf3dcf465a4a90850cd256d29d681c7f618ff7ec94d1d43529ee679f62f3
DarkVNC
5bafba82265fc0cd3b3b802850bfc982a7427239f87c364c881591c96c717cb5
DarkVNC
6e46c37c824f13c573fea62962c995f2e614c4751db1102e842033c176014378
DarkVNC
afe362f2b4c796b7177aea8bd909fedbe9e22b07dcec38234a454c47264e6b82
DarkVNC
b573efb3314fc674683285ed910820088ff977c6c9e9981df878ec46a291f6c3
DarkVNC
bde46cf05034ef3ef392fd36023dff8f1081cfca6f427f6c4894777c090dad81
DarkVNC
d4d6982ec8929bd7f596b1c32cc19f8d95430b7e8dafb3994de890761ba1e9de
DarkVNC
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
DarkVNC
df236c2266dae72d6788196050343aa39c29ef6d6659792cdd459f4d8286820f
DarkVNC
f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39
DarkVNC
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221102-cg9ptshcfm/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbce4f0f-e290-4faa-a55d-eef30385d095
Unpacked files
SH256 hash:
811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557
MD5 hash:
b30e8dc3f6759f369969d056e3e5036d
SHA1 hash:
0ad1ee02f1b75980c12c523e5883261220d8fced
Link:
https://www.unpac.me/results/1334300d-5984-4841-aacc-2429c1134055/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/811aac3c419782890d5d83a1446d0e045dfc9a6aebdfed0e151fabcc051fe557/details
Cape
Cape
https://www.capesandbox.com/analysis/326938/

Comments