MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ec052723554cf7ca4d858c39daa9db4710f6bbf2db29bcb77c17f488533b71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkVNC

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	8ec052723554cf7ca4d858c39daa9db4710f6bbf2db29bcb77c17f488533b71f
SHA3-384 hash:	66831a42d1a775cacf8d0167c45d1a6b1408bb6f61dd34f62528bb2ea87bd96a24b421517f5b2c798e66c8f306f1eb25
SHA1 hash:	633cf8e4cfc6b20081514a2eb773b758429290ef
MD5 hash:	38b7da1ce1f5a54407944249b618207a
humanhash:	romeo-wolfram-ink-november
File name:	38b7da1ce1f5a54407944249b618207a.exe
Download:	download sample
Signature	DarkVNC Create hunting rule
File size:	1'145'856 bytes
First seen:	2021-07-09 08:22:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af6c9d29df6d280539373e6d2e11b49a (1 x DarkVNC)
ssdeep	24576:SiW22WX0w+ovLkeIHJ907dE1lGsWdBsbkNXCeMWJbQ+A:ihovoRp9oElGvdBsceH
Threatray	6 similar samples on MalwareBazaar
TLSH	T1BB350220B7B0D039F5F326F15AB95368662EBEA09B3440CF12D92AED9A745D0ED31707
Reporter	abuse_ch
Tags:	DarkVNC exe

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

38b7da1ce1f5a54407944249b618207a.exe

Verdict:

Malicious activity

Analysis date:

2021-07-09 08:23:13 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/4d680f75-25ef-45ac-8295-87634fa12d06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/170631/

Detection(s):

Win.Packed.Generic-9876400-0

Win.Packed.Generic-9876586-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b824467-8575-4b40-b46e-7160c8b7c912

Result

Threat name:

DarkVNC

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/813904

Signature

Contains functionality to modify LDT segment tables

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DarkVNC

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ec052723554cf7ca4d858c39daa9db4710f6bbf2db29bcb77c17f488533b71f/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-07-08 01:40:00 UTC

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r3afe4rvkthxzjgyldbz3ku5wryq6257fwzjxs3xyf7urbjtw4pq._file

Verdict:

unknown

DarkVNC

4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

DarkVNC

74498a0a179b34e0d1e4c278deb7563129cb30363094d50b3c4f579a6a967b62

DarkVNC

9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9

DarkVNC

a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5

DarkVNC

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210709-rh68tptx8j/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

895155786cb7485395400b3d76d69faa26f34532dfa65068044038cb2f1c4892

MD5 hash:

8e5a9a51eb13ced4d1bbec25a0376e32

SHA1 hash:

77433616232cdf8a990c511364c991cc44f8b6e5

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

SH256 hash:

895155786cb7485395400b3d76d69faa26f34532dfa65068044038cb2f1c4892

MD5 hash:

8e5a9a51eb13ced4d1bbec25a0376e32

SHA1 hash:

77433616232cdf8a990c511364c991cc44f8b6e5

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

SH256 hash:

41c064b2dc27445c13258b31edc231d1a0359a2c905844ff288bdaf0a05d7e4e

MD5 hash:

3aff0c1ef63b6a20827dac646b438b02

SHA1 hash:

a03af1012d9f35caaf241c72d5ff43695a337d4e

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

SH256 hash:

5b5f0b7fb54addd8f7aed40b224d5339d4bca5513b1d803f2a4ae087a2eb37e6

MD5 hash:

cd398a43193a3ecdfa688a171181f373

SHA1 hash:

5de15ff09dad2ab73f69ed7b69d31e2401f235f9

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

SH256 hash:

695d5f401c2fe37a8cfe6850bee806670972dbd00598d9377f86fe0ed3b2f0e8

MD5 hash:

7e1641a2d5c22d85ed6c3f693268ad97

SHA1 hash:

5d88e47b2c61a002e32ad000079de6e862ac7edd

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

SH256 hash:

8ec052723554cf7ca4d858c39daa9db4710f6bbf2db29bcb77c17f488533b71f

MD5 hash:

38b7da1ce1f5a54407944249b618207a

SHA1 hash:

633cf8e4cfc6b20081514a2eb773b758429290ef

Link:

https://www.unpac.me/results/cbccdf3b-6b54-4eec-9429-43fc3277b5c2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ec052723554cf7ca4d858c39daa9db4710f6bbf2db29bcb77c17f488533b71f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time