MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkVNC

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330
SHA3-384 hash:	f2a21b78af5e88e2eed83696ddd1ef3ef238d5a0af0ad6199f5eb49fc8eb360bf45f67c1ebe3f83bd9eb3326e76ca535
SHA1 hash:	f803c6a204231bf80b8ee47912c43d597dbfda8f
MD5 hash:	2d0b8663c370b76694a77d6ce5f3897c
humanhash:	triple-charlie-jig-kitten
File name:	no_startup_upd_2021-08-09_05-28.exe
Download:	download sample
Signature	DarkVNC Create hunting rule
File size:	459'264 bytes
First seen:	2021-08-09 08:52:02 UTC
Last seen:	2021-08-09 09:50:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02a4feeb6808b3e6475baba70ffccf8d (2 x ArkeiStealer, 1 x Loki, 1 x DarkVNC)
ssdeep	12288:6QcCNAX253YeA+2CzSIPi2eWW7IP8T9C57h:6QcCNfpi+vJBc9I
Threatray	62 similar samples on MalwareBazaar
TLSH	T153A4F131B680F932E5570930789ECAA4FB69A8315B95424337983F6E5EF37C1136A31B
dhash icon	10367878727e7636 (8 x RaccoonStealer, 4 x Smoke Loader, 2 x DanaBot)
Reporter	benkow_
Tags:	DarkVNC exe gcleaner

benkow_

c2: 23.83.133. 152
Dropped by Raccoon in the US

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

no_startup_upd_2021-08-09_05-28.exe

Verdict:

Malicious activity

Analysis date:

2021-08-09 09:05:04 UTC

Tags:

installer trojan

Link:

https://app.any.run/tasks/1d601e78-eb81-459e-add2-cf9b01240e43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

HiddenVNC

Link:

https://www.capesandbox.com/analysis/177491/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.28276.3518.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gootkit

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d59556c0-ecf0-4c9d-8078-da9852a5443e

Result

Threat name:

Ramnit

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/829163

Signature

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected Ramnit VNC Module

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330/

Threat name:

Win32.Backdoor.Convagent

Status:

Malicious

First seen:

2021-08-09 08:31:30 UTC

AV detection:

22 of 46 (47.83%)

Threat level:

5/5

Verdict:

unknown

DarkVNC

43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c

DarkVNC

47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4

DarkVNC

549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e

DarkVNC

7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac

DarkVNC

d5e0eecc3da1a2bc3f36df0a05c0ce116def64c9e6c72224c8988a671ed7fe8a

DarkVNC

e1eceb18a899ae4d5ba7080c8e1bc43f11d05a5998e3a6bd41100a23cbc2137a

DarkVNC

e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6

DarkVNC

+ 52 additional samples on MalwareBazaar

Result

Malware family:

darkvnc

Score:

10/10

Tags:

family:darkvnc rat

Link:

https://tria.ge/reports/210809-4gfhbs7qb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

DarkVNC Payload

DarkVNC

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

a1e868ebeeeb88af94dd38626513d15ee67e50f825bebf9a416521e95e264dbc

MD5 hash:

7cac2daef2009e08f9e05d3b129088ea

SHA1 hash:

d0225d413504484c30e74fc86249d2325eec5d6f

Link:

https://www.unpac.me/results/2f0fd23a-2350-4b22-ab8f-24d28b859750/

SH256 hash:

19e8b920ef74341257f81ad10d641fac872fdb19d1a4d893e43cafd949e9a974

MD5 hash:

45a716ea390ab12a9dcf511d7733dbf2

SHA1 hash:

1fd1c9c914be157b1b3b5e70c71671844a422ce2

Link:

https://www.unpac.me/results/2f0fd23a-2350-4b22-ab8f-24d28b859750/

SH256 hash:

bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330

MD5 hash:

2d0b8663c370b76694a77d6ce5f3897c

SHA1 hash:

f803c6a204231bf80b8ee47912c43d597dbfda8f

Link:

https://www.unpac.me/results/2f0fd23a-2350-4b22-ab8f-24d28b859750/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bfec5909532f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfec5909532fa13fa9e1a2ef05a6d053c44a6aae7f75715bd6f8b0c6264e7330

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://tria.ge/210809-35bb7j7tne/behavioral2

Dropped by

GCleaner

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/1518660/

Cape

https://www.capesandbox.com/analysis/177491/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample