MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVNC


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6
SHA3-384 hash: b19deda40f446a967a733eb744cc898a244668d18a0182c42d1ce13fa81f4fee0cd24c4fde8c9d156a5b1121041fca6e
SHA1 hash: 991d8933b8afe85c743321050c63c34dad9eb69a
MD5 hash: 108b97c82934dd23e8d7cd9534ad2685
humanhash: robin-river-early-april
File name:zdnDE6F.tmp
Download: download sample
Signature DarkVNC
Create hunting rule
File size:1'340'416 bytes
First seen:2021-07-16 20:40:45 UTC
Last seen:2021-07-16 21:40:04 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ef807c6bc173d985c5d887f7a59d35d2 (1 x DarkVNC)
ssdeep 24576:f7EwA1oZUBx4TeZEKzxwJ5HrsExloIyA40ucpnE9y+:f7ElKPSZw9TE9x
Threatray 57 similar samples on MalwareBazaar
TLSH T1D45559083659FD22C2E666320F25E195235D34642B3095CF36F87FAF2FEC4A3256935A
Reporter malware_traffic
Tags:DarkVNC dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172273/
Detection(s):
SecuriteInfo.com.Trojan-Banker.DanaBot.28933.9201.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc3da412-f603-4567-8e29-4087d5503c13
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/817713
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450124 Sample: zdnDE6F.tmp Startdate: 16/07/2021 Architecture: WINDOWS Score: 88 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected Ramnit VNC Module 2->40 42 Contains VNC / remote desktop functionality (version string found) 2->42 44 Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments 2->44 8 loaddll32.exe 1 2->8         started        process3 signatures4 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Modifies the context of a thread in another process (thread injection) 8->62 64 Maps a DLL or memory area into another process 8->64 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 2 other processes 8->18 process5 signatures6 66 Writes to foreign memory regions 11->66 68 Allocates memory in foreign processes 11->68 70 Modifies the context of a thread in another process (thread injection) 11->70 20 WerFault.exe 11->20         started        23 rundll32.exe 14->23         started        72 Maps a DLL or memory area into another process 16->72 25 conhost.exe 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 18->29         started        process7 signatures8 46 Contains functionality to inject threads in other processes 20->46 48 Searches for specific processes (likely to inject) 20->48 50 Writes to foreign memory regions 23->50 52 Allocates memory in foreign processes 23->52 54 Modifies the context of a thread in another process (thread injection) 23->54 56 Maps a DLL or memory area into another process 23->56 31 WerFault.exe 23->31         started        34 BackgroundTransferHost.exe 13 23->34         started        process9 dnsIp10 36 23.83.133.126, 443, 49717, 49718 LEASEWEB-USA-PHX-11US United States 31->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6/
Threat name:
Win32.Trojan.Carberp
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 20:41:03 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
DarkVNC
21dbbf625ccd9bf9aae178bf9a5ff84db58aea912166836924b7aa9bbce0443c
DarkVNC
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
DarkVNC
43e35aa1486b2cd51237520eb1b0b02fb46f0f3b135622e66b7438684429441c
DarkVNC
4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
DarkVNC
549294145687d56bced5ae786f90fd4ec2aa4730e80f31f3b886e3a603f1e47e
DarkVNC
7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac
DarkVNC
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
DarkVNC
e1eceb18a899ae4d5ba7080c8e1bc43f11d05a5998e3a6bd41100a23cbc2137a
DarkVNC
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
DarkVNC
+ 47 additional samples on MalwareBazaar
Result
Malware family:
darkvnc
Create hunting rule
Score:
  10/10
Tags:
family:darkvnc rat
Link:
https://tria.ge/reports/210716-f6dswf7vhe/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkVNC Payload
DarkVNC
Unpacked files
SH256 hash:
e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6
MD5 hash:
108b97c82934dd23e8d7cd9534ad2685
SHA1 hash:
991d8933b8afe85c743321050c63c34dad9eb69a
Link:
https://www.unpac.me/results/6861652b-294d-4bad-9f29-c19bb1b8d309/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5645c71f642f457348025cca404a3e756f91b0ae418cebae622935cea1707f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172273/

Comments