MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9
SHA3-384 hash: 88aa666661285d84ae2532741fb1793cad8111e4247414fca004b57b5bcd2671a2c517cf6a678bd14a75b843fd2a01d2
SHA1 hash: c3d8d30acd6dd466c446492d178046745a34bc17
MD5 hash: 7cf97a4adac74d6572746d1f27095924
humanhash: beer-kansas-pennsylvania-diet
File name:7cf97a4adac74d6572746d1f27095924.exe
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'057'280 bytes
First seen:2021-07-06 06:20:46 UTC
Last seen:2021-07-06 06:53:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8049f708fcb07ebf9462806c4a9d27f3 (1 x DarkVNC)
ssdeep 24576:DUh6dg6gUGGR7UX+Eza5WRw7E+ZSi7Jz67WoloeUvM6s543RpD3xROs:DUODgkK+EAWR4hZLwseN6s54hpDh
Threatray 2'377 similar samples on MalwareBazaar
TLSH 4B251291B980CBB1E68255304C36C3609A29F9637A374653F2B43B6B6D333C1A7D9277
Reporter abuse_ch
Tags:DarkVNC exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7cf97a4adac74d6572746d1f27095924.exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 06:22:07 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/3b0e5aa8-8437-4924-82ff-5e0e3be61449

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169866/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.76241.77.16872.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2edab045-6c69-4691-a76e-c83b05e21440
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/812075
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 17:58:13 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=344xkki5tpyn7l5ah66nvellymocadbz6kdqduznztzveouga3eq._file
Verdict:
malicious
Similar samples:
3d577f9e7a6d32391040bbec8556c62750e75625f40f16ef33a27230ac2b1b5d
DarkVNC
71bef343c030a099a182448091052c9788988251e1e9e3236cb27b53a5bd318f
DarkVNC
7443a98b0d8781ce10c495383c3aecfd6cc0a7f3e6d9c0d9638c8fd5e2f5264e
DarkVNC
7866bb7085d15613e2f12913cad280e17c750dadcecd208e1e11ba5167e4496b
DarkVNC
801335edb67efa986f07704ab6d1c085cbe5a55c9c2baaf8691b4806e3557e25
DarkVNC
a35a4b8c7fe3d0282fddf831fdec65a894ae0f9f0266f6824689d9770ddf5458
DarkVNC
aa6206082575919b3b0ea11c5430082a8b6b2251ca4d4aeedfe663ca250fdafb
DarkVNC
c0493b2725b38545cd7b51015335c87e842096b635e2055b6cc30c038d69336f
DarkVNC
db6707dfd3c466dd3265628f922abb9908916f58ee47d9575cc45233a858e3fd
DarkVNC
f1410c202fcc7ef7a804332fbeb58b5274fd7609a0fbe7e3bae93eed2542b519
DarkVNC
+ 2'367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210706-jpyf25l8hn/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
1daa902e043cc10afbc0297d9e87714843f8f85b7b79e3627219363949564c60
MD5 hash:
287cf0cec95d58c9aabdf0513f9c8771
SHA1 hash:
86b13bf2e6e98535afcb1fe34587a985318448df
Link:
https://www.unpac.me/results/378386fe-3a54-4bb3-8f47-a868b13de6f6/
SH256 hash:
df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9
MD5 hash:
7cf97a4adac74d6572746d1f27095924
SHA1 hash:
c3d8d30acd6dd466c446492d178046745a34bc17
Link:
https://www.unpac.me/results/378386fe-3a54-4bb3-8f47-a868b13de6f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVNC

Executable exe df3975291d9bf0dfafa03fbcda916bc31c200c39f28701d32dccf3523a8606c9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1407122/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169866/

Comments