MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
SHA3-384 hash: 100ed3114058af8c335d5aef1829bee86e5101b49c947a16e96ca4e67cf316530972d0215d41636a6ab76c8fa4c2630c
SHA1 hash: 6a3df763e5bd30333d7ded16ecf117ff104c9392
MD5 hash: 44127349bb3ca609430558c961239e68
humanhash: florida-kansas-violet-early
File name:4A97.tmp.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:471'515 bytes
First seen:2022-11-02 01:08:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 12288:K+Kv9yphaoZivTjxaehr9n7O5QR6gPQgDM1i9iV8I:K+Kv9EwoZkTjxa07O5Q7NsV8I
Threatray 102 similar samples on MalwareBazaar
TLSH T13AA4232A3284C4E7C76B1E750EBB6BA67BF06D022011D60B3B95FF49FC17295E92E144
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter malware_traffic
Tags:DarkVNC exe


Avatar
malware_traffic
2017 sample of DarkVNC malware EXE distributed through Terror exploit kit traffic.

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4A97.tmp.exe
Verdict:
Malicious activity
Analysis date:
2022-11-02 00:57:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/409e8e07-918d-4744-86c0-54588ae043d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326934/
Detection(s):
Win.Trojan.Agent-6613095-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Nemesis.254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching a process
Sending a custom TCP request
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47299/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer coinminer
Link:
https://www.filescan.io/uploads/6361c32fa5db8d309cbc4550/reports/c54d5f5b-01cd-4a8c-a2fe-579b958df7f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVNC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f5aa80e-3132-4163-ba99-33690ea1b5ce
Result
Threat name:
GuLoader, Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102893
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2017-10-17 19:51:00 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wqplodvsiql3pmolw5ix72jq2frfyov4o6soozwmbinvmgi3vhq._file
Verdict:
malicious
Similar samples:
1c08cf3dcf465a4a90850cd256d29d681c7f618ff7ec94d1d43529ee679f62f3
DarkVNC
2006d79276316eea72f9c19d6169a67fd71eefd25b8e1007d9a72f1a1154b1e5
DarkVNC
21b45cf293c8b1587d29f4a641b448ff3f817d6c99fa114841858208a0e2ae0a
DarkVNC
48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
DarkVNC
afe362f2b4c796b7177aea8bd909fedbe9e22b07dcec38234a454c47264e6b82
DarkVNC
bde46cf05034ef3ef392fd36023dff8f1081cfca6f427f6c4894777c090dad81
DarkVNC
d1ad5fd5f6ed1ca6556b80636b019b020755c7b3586c683fcddeb9688ed0017e
DarkVNC
+ 92 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221102-bhsx2agcg9/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Drops startup file
Loads dropped DLL
Adds policy Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d0f1b650-c649-4a6a-912f-b646ed42d294
Unpacked files
SH256 hash:
f09db059deb58e0d1522f9b5f5fee1c8ac65b642711b37f724eff7e1d325ac41
MD5 hash:
ba3abf6ed7f3b4dabf073361941153a1
SHA1 hash:
a87b2d3794db53908c6096c7ee8605bf1f838b46
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
SH256 hash:
bba27cd789a40969b09b7ef00cd89627ee20560467f6fca06b8fc7f822588eb1
MD5 hash:
3b1393140b1baea636be3e6294a7fe33
SHA1 hash:
7a5b086adc1be7d7e74021404bfc8718cd60f3b7
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
SH256 hash:
c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985
MD5 hash:
ee449b0adce56fbfa433b0239f3f81be
SHA1 hash:
ec1e4f9815ea592a3f19b1fe473329b8ddfa201c
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
SH256 hash:
2dab56278485307865dca888a74ca24f5e83c9fc7f60b00a0a301720e05a3c1f
MD5 hash:
a4f5a63c94ca3b298c2b1e5a003c9871
SHA1 hash:
c19b2a9ca8666681c5fddc8dde2bf3995aa7af6d
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
SH256 hash:
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
MD5 hash:
55a26d7800446f1373056064c64c3ce8
SHA1 hash:
80256857e9a0a9c8897923b717f3435295a76002
Detections:
win_qtbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
Parent samples :
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
SH256 hash:
5a31abf36c0ed5e74295b7d7db5a2b09d8aa308483612b7b0bc04771000ac8ad
MD5 hash:
a09bcf528d02f89f9befa78937ca7d7b
SHA1 hash:
3cbcb0fdc32a8f21d6d557cc4c3bb6c4ee246b6f
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
SH256 hash:
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
MD5 hash:
44127349bb3ca609430558c961239e68
SHA1 hash:
6a3df763e5bd30333d7ded16ecf117ff104c9392
Link:
https://www.unpac.me/results/06c49edf-a0d0-4ea5-9858-6b7fa0c4c7be/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dda0f5b87592/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:Susp_Indicators_EXE
Create hunting rule
Author:Florian Roth
Description:Detects packed NullSoft Inst EXE with characteristics of NetWire RAT
Reference:https://pastebin.com/8qaiyPxs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.malware-traffic-analysis.net/2017/10/17/index.html
anyrun
any.run
https://app.any.run/tasks/d25c8e1d-637a-4cdc-b8f7-2bf89452a11f/
  
Link
https://tria.ge/221102-bbw14sgce2
  
Link
https://www.hybrid-analysis.com/sample/dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f?environmentId=100
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/326934/

Comments