MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf
SHA3-384 hash: ca97257906b7cdc5f12bd9c46e5ed6246b4a7b2c431fb8bd41fab1cd6f419a669f026ba3cac3daf4ef46a52b1e64062b
SHA1 hash: a95ab1a564e5d3f5c5aa597e28a05a21e23c3256
MD5 hash: a3fd74bc897d19c94815d58ba48c199f
humanhash: green-eight-alabama-wisconsin
File name:a3fd74bc897d19c94815d58ba48c199f
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'180'672 bytes
First seen:2021-07-08 16:03:46 UTC
Last seen:2021-07-08 17:37:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e17f7b1d002ab984875bfae146483af9 (1 x DarkVNC)
ssdeep 24576:NtpkMXRIq9LVva8yqY7yUlSK9vfTK5PVnXzJSXquTWaCphXEkMMr0:NtXImLp0qY7yUlSKdKZVnidtItMZ
Threatray 2'463 similar samples on MalwareBazaar
TLSH T1C5450110BB61D03AF5B726F4457592A8663E3EB1AF2090CBE2D526EE56702D0ECF1317
Reporter zbetcheckin
Tags:32 DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a3fd74bc897d19c94815d58ba48c199f
Verdict:
Malicious activity
Analysis date:
2021-07-08 16:06:14 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/a4a9c6bf-02ae-4d5e-b181-6e75080471ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170505/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7131.24072.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40dfa559-0aca-4d46-b4ee-391c89d4d4a7
Result
Threat name:
DarkVNC
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/813621
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DarkVNC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446032 Sample: 3XmOPwy0nJ Startdate: 08/07/2021 Architecture: WINDOWS Score: 96 37 Yara detected DarkVNC 2->37 39 Machine Learning detection for sample 2->39 9 3XmOPwy0nJ.exe 1 2->9         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 9->49 51 Detected unpacking (overwrites its own PE header) 9->51 12 rundll32.exe 6 9->12         started        process5 dnsIp6 35 192.236.194.109, 443, 49709, 49715 HOSTWINDSUS United States 12->35 31 C:\ProgramData\Bklngfpngf\kgjocbpkfku.tmp, PE32 12->31 dropped 33 C:\Users\user\Desktop\3XmOPwy0nJ.exe, data 12->33 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->53 55 Bypasses PowerShell execution policy 12->55 17 rundll32.exe 10 24 12->17         started        file7 signatures8 process9 file10 29 C:\Users\user\AppData\...\tmp4AA7.tmp.ps1, ASCII 17->29 dropped 41 System process connects to network (likely due to code injection or exploit) 17->41 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 45 Sets a proxy for the internet explorer 17->45 47 Enables a proxy for the internet explorer 17->47 21 powershell.exe 17 17->21         started        23 powershell.exe 8 17->23         started        signatures11 process12 process13 25 conhost.exe 21->25         started        27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 16:04:10 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukemjuystjp3yr25lciwurs2tzb3vackepowvjtsnfd4jtuqqg7q._file
Verdict:
malicious
Similar samples:
3d577f9e7a6d32391040bbec8556c62750e75625f40f16ef33a27230ac2b1b5d
DarkVNC
7443a98b0d8781ce10c495383c3aecfd6cc0a7f3e6d9c0d9638c8fd5e2f5264e
DarkVNC
7866bb7085d15613e2f12913cad280e17c750dadcecd208e1e11ba5167e4496b
DarkVNC
801335edb67efa986f07704ab6d1c085cbe5a55c9c2baaf8691b4806e3557e25
DarkVNC
a35a4b8c7fe3d0282fddf831fdec65a894ae0f9f0266f6824689d9770ddf5458
DarkVNC
aa6206082575919b3b0ea11c5430082a8b6b2251ca4d4aeedfe663ca250fdafb
DarkVNC
c0493b2725b38545cd7b51015335c87e842096b635e2055b6cc30c038d69336f
DarkVNC
db6707dfd3c466dd3265628f922abb9908916f58ee47d9575cc45233a858e3fd
DarkVNC
df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9
DarkVNC
f1410c202fcc7ef7a804332fbeb58b5274fd7609a0fbe7e3bae93eed2542b519
DarkVNC
+ 2'453 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210708-5epxqvf26a/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
fb4895acc0553f810caf3a6d26a4eb7af18934571ff21b05a2ac07232a226bc9
MD5 hash:
fe7ba6f8c484342ddd60c5e99fd5cea9
SHA1 hash:
c809081cfc879d6428dffc9c536c32f86318a319
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
fb4895acc0553f810caf3a6d26a4eb7af18934571ff21b05a2ac07232a226bc9
MD5 hash:
fe7ba6f8c484342ddd60c5e99fd5cea9
SHA1 hash:
c809081cfc879d6428dffc9c536c32f86318a319
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
300baa2fbcec19a4629be145cccf71d7f850144191b3730acd3c7c4f2f21c2df
MD5 hash:
3ea37a1dde22c6ee56b063dca5be2bc9
SHA1 hash:
d65d36cd6e56f597b037373e99f9d00073c37d50
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
22aab7ca8a3548d7b4e57dba79c24805da52be625bb0c6fac1a3963dabc4e45f
MD5 hash:
1d55ee07d13fddf22ec47023262d4bd9
SHA1 hash:
7795f960bcf1b3b38491a565684b7e54cf0bdb55
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
ef5c76ff6ec9910534e19c582aaddb2de5fb7d3d9e136b1b6d5572b271efaa0a
MD5 hash:
84b0d302b68cf9336e3aa1031ba7855c
SHA1 hash:
1c0bfa983a8b32a783b8e88d0609d31f8eef6b3e
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
eacc59d83ee32cf8dc5b87a997b437dc7094df74eaf2209e8c98c44fd71d19b4
MD5 hash:
85b2c82485143527f90619509e165fbf
SHA1 hash:
adaca291acac543a2ca2ed1b260b6d316d890791
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
SH256 hash:
a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf
MD5 hash:
a3fd74bc897d19c94815d58ba48c199f
SHA1 hash:
a95ab1a564e5d3f5c5aa597e28a05a21e23c3256
Link:
https://www.unpac.me/results/feef8284-cb3c-4bf6-8741-c54bd993cd9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1407122/
  
URLhaus
https://urlhaus.abuse.ch/url/1436386/
Cape
Cape
https://www.capesandbox.com/analysis/170505/

Comments


Avatar
zbet commented on 2021-07-08 16:03:48 UTC

url : hxxp://142.44.224.31/schhosts.exe