Windows
Analysis Report
file.exe
Overview
General Information
Detection
DarkVision Rat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses dynamic DNS services
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
file.exe (PID: 1268 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 9BB6B2817EF5A1367529506EAF619F0F) cmd.exe (PID: 3088 cmdline:
cmd.exe /c powershel l.exe Add- MpPreferen ce -Exclus ionPath 'C :\Program Files (x86 )\windows' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 3564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4132 cmdline:
powershell .exe Add-M pPreferenc e -Exclusi onPath 'C: \Program F iles (x86) \windows' MD5: 04029E121A0CFA5991749937DD22A1D9) windows.exe (PID: 1032 cmdline:
"C:\Progra mData\wind ows\window s.exe" {D8 E15931-E2A D-40B5-A4D 1-41BD1741 249E} MD5: 9BB6B2817EF5A1367529506EAF619F0F) cmd.exe (PID: 6540 cmdline:
cmd.exe /c powershel l.exe Add- MpPreferen ce -Exclus ionPath 'C :\Program Files (x86 )\windows' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4616 cmdline:
powershell .exe Add-M pPreferenc e -Exclusi onPath 'C: \Program F iles (x86) \windows' MD5: 04029E121A0CFA5991749937DD22A1D9) WmiPrvSE.exe (PID: 2800 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) explorer.exe (PID: 7020 cmdline:
"C:\Window s\explorer .exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
cmd.exe (PID: 4132 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ramData\{A 6378F27-E3 E4-43B5-A4 A9-3CD42AE FDEDB}\{01 CD18C6-8DB 4-4D19-901 B-142FFEF4 1E7A}.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 1396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3816 cmdline:
cmd /c sta rt "" "C:\ ProgramDat a\windows\ windows.ex e" {5EED0E A3-A73E-44 2A-9D20-84 320F1AFCBA } MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) windows.exe (PID: 1364 cmdline:
"C:\Progra mData\wind ows\window s.exe" {5E ED0EA3-A73 E-442A-9D2 0-84320F1A FCBA} MD5: 9BB6B2817EF5A1367529506EAF619F0F)
- cleanup
{"C2": "acuweld.ddns.net", "Port": 3440}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkVisionRat | Yara detected DarkVision Rat | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_DarkVisionRat | Yara detected DarkVision Rat | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_DarkVisionRat | Yara detected DarkVision Rat | Joe Security | ||
Click to see the 13 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkVisionRat | Yara detected DarkVision Rat | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 12 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |