MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
SHA3-384 hash: b51331e82110339e7f854962c4ed00aa5fec461ce62675aca64f7a15c217c5949362afee820eaea8ae3cd1cc7df51f05
SHA1 hash: f141f978523d6c0c60b35c7ab2de81f603e5c899
MD5 hash: 05380f9f5c0c34bd03e373a0affda0ce
humanhash: five-tennis-potato-california
File name:05380f9f5c0c34bd03e373a0affda0ce.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:520'192 bytes
First seen:2021-01-09 17:20:47 UTC
Last seen:2021-01-09 18:53:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 51f3f223eb524785c1900912591586f0 (4 x ArkeiStealer, 3 x DarkVNC, 2 x RaccoonStealer)
ssdeep 12288:NlF0ex5PhYEtgPB4KVhn+B0xkpcJCBHIVdUSf2MCV+441evZgl:zNhPtgZXVhnzvJulSfcV+XAvZgl
Threatray 44 similar samples on MalwareBazaar
TLSH B0B41217E89CA497F4E52C31561EE2EC03859550E61462074F39DE622F3E6C2FA8BB37
Reporter abuse_ch
Tags:DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05380f9f5c0c34bd03e373a0affda0ce.exe
Verdict:
Malicious activity
Analysis date:
2021-01-09 17:22:04 UTC
Tags:
trojan hvnc
Link:
https://app.any.run/tasks/cdf25a4f-a99d-4e37-88ec-ce6ad791ad28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111127/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/577330
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17/
Threat name:
Win32.Trojan.Cmy3u
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 17:21:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb6mzahrybyp5radgqi5dhfsyewwx7onoi6b3f4htuw3vy3jbylq._file
Verdict:
unknown
Similar samples:
07fd393e36e2519dda8edff80b6c629347586a628d70103d0cb425ba5c6cd0b9
DarkVNC
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
DarkVNC
3785550afcc22a9c9cc82c4f6515f77eb9cc0984966aeb238d57e1ea3cb9d351
DarkVNC
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
DarkVNC
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
DarkVNC
50ca73e510646ea1534f248099ce844f7f6178adb93055f8459ec07645f48e79
DarkVNC
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
DarkVNC
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
DarkVNC
7eaf1d4d20b405c4cc1209b5c2c3a63f2db9201b09e33979b9677738150a94bd
DarkVNC
f22462a16e1e5b3eed3a84c6003aef25eb4ccdd78cb7064fdb39404528f3b9f0
DarkVNC
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210109-5v4fqznhax/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
MD5 hash:
05380f9f5c0c34bd03e373a0affda0ce
SHA1 hash:
f141f978523d6c0c60b35c7ab2de81f603e5c899
Link:
https://www.unpac.me/results/4539a65b-4c2e-4bcc-a7d2-7cdc82e879c5/
SH256 hash:
c627978d9a6a60b90a0f1b68f772ad4f21f3e163c37b13d12557f7fe8eba7068
MD5 hash:
e860ead5588b1a8e61a2034c7d33b495
SHA1 hash:
787b793010df0e86b1999b82ecc1c606bc823b04
Link:
https://www.unpac.me/results/4539a65b-4c2e-4bcc-a7d2-7cdc82e879c5/
SH256 hash:
293d03b1bb46070856cba7eca5f0a1301df4413fa4dbbfe185ea1ac8813c7fc2
MD5 hash:
98a7595394ff32fd22d26b3845d9c0a7
SHA1 hash:
1d45ae8387dade3b1c62fe02c167c5affbb8078a
Link:
https://www.unpac.me/results/4539a65b-4c2e-4bcc-a7d2-7cdc82e879c5/
SH256 hash:
092b48d80c6c9996f8bc5a12dea82463ff1490e27c21dffd4298d8c72d89cf7a
MD5 hash:
dc785eada381cdaeee3e36e9a6101486
SHA1 hash:
7b9ab18a36086eaece36b781aea69f0ba5dc5e68
Link:
https://www.unpac.me/results/4539a65b-4c2e-4bcc-a7d2-7cdc82e879c5/
SH256 hash:
adbcbc05c1ef14eecfe0c5c43a8ce98dde7a019ad2920b9a0d7da20d01393489
MD5 hash:
1e48556ddef7bf60a73b146efca45b6b
SHA1 hash:
ce5d8c237254bf01c74347054ea4e6f29de7d7ce
Link:
https://www.unpac.me/results/4539a65b-4c2e-4bcc-a7d2-7cdc82e879c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_DarkVNC
Create hunting rule
Author:abuse.ch
Description:Detects DarkVNC
Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938195/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111127/

Comments