MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255
SHA3-384 hash: 6fa378ea46cc524ecda45ee27d8c6656ace140c8dff3cc1f9841341f7ac28b4267d80e38667172571c7ecf444a229839
SHA1 hash: f46d63dc9dfe7addfdbace055520ce84fb30d380
MD5 hash: 9156d117d4107fb3787152bbde3aa26d
humanhash: hamper-double-fillet-alpha
File name:9156d117d4107fb3787152bbde3aa26d
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'078'272 bytes
First seen:2021-07-04 02:07:15 UTC
Last seen:2021-07-04 02:53:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0760b4351aea3a041b7d697c921cb850 (3 x DarkVNC, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 24576:Y5qzoyXxVAx5xJVtOa08FI6SbHLQeP2xGNhlUpJwgxtu:Y5qzzXjAxhXOa08FIXHLQpxGNhlUpJwI
TLSH 4D3523906601CA36D45145B004159BD69F6CBE3A9EAB4A43F3CC299FAF337C474EB24B
Reporter zbetcheckin
Tags:32 DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9156d117d4107fb3787152bbde3aa26d
Verdict:
Malicious activity
Analysis date:
2021-07-04 02:09:19 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/4bb40600-0015-4fbf-85d7-c14e851417e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169530/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.5862.414.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad2ed830-5998-4829-83f7-cdc4fd8479f1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/811482
Signature
Contain functionality to detect virtual machines
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 23:46:00 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210704-h2cf3jzste/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
8444411865266757e13fafeac40cf0cb4ee57406ff59efec1f7cfda61b361149
MD5 hash:
4474060c8f6274b3d30cb7f4a80e5d4c
SHA1 hash:
f34df5fcf50392c2fae95e61ef2167c2ef564122
Link:
https://www.unpac.me/results/94bc150a-899a-4e0c-8126-43004121c3a5/
SH256 hash:
9d4e27724842ef14a04d8092c193aa46fb5f7bf919e93143ad1f2091f23fd4dc
MD5 hash:
f6866ebf73048570c6cea52e7d908a74
SHA1 hash:
a2f8178538117cef35f2ea9d19b571af47dcd0ef
Link:
https://www.unpac.me/results/94bc150a-899a-4e0c-8126-43004121c3a5/
SH256 hash:
847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255
MD5 hash:
9156d117d4107fb3787152bbde3aa26d
SHA1 hash:
f46d63dc9dfe7addfdbace055520ce84fb30d380
Link:
https://www.unpac.me/results/94bc150a-899a-4e0c-8126-43004121c3a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe 847c8df92a7b63e6730a4c1890b3c3f8cbc90439b19719446f6114627ef5a255

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1407122/
Cape
Cape
https://www.capesandbox.com/analysis/169530/

Comments


Avatar
zbet commented on 2021-07-04 02:07:16 UTC

url : hxxp://23.254.229.122/servces.exe