SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkvnc (Back to overview)

DarkVNC

VTCollection    

According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.

References
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-07-27SANS ISCBrad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2017-11-08ReaqtaReaqta
A short journey into DarkVNC attack chain
DarkVNC
Yara Rules
[TLP:WHITE] win_darkvnc_auto (20260504 | Detects win.darkvnc.)
rule win_darkvnc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.darkvnc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bd9 e8???????? 83f806 7714 e8???????? 83f806 753f }
            // n = 7, score = 100
            //   488bd9               | dec                 esp
            //   e8????????           |                     
            //   83f806               | mov                 esi, dword ptr [esp + 0x48]
            //   7714                 | dec                 esp
            //   e8????????           |                     
            //   83f806               | sub                 edx, edi
            //   753f                 | dec                 eax

        $sequence_1 = { e8???????? 493bf5 72d9 4489b42490000000 448bb424b0000000 49638778540000 41bb01000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   493bf5               | je                  0x1e97
            //   72d9                 | dec                 eax
            //   4489b42490000000     | cmp                 dword ptr [esp + 0x90], 0
            //   448bb424b0000000     | je                  0x1e97
            //   49638778540000       | mov                 dword ptr [esp + 0xd0], 0
            //   41bb01000000         | dec                 eax

        $sequence_2 = { 7437 488b4320 488d4b30 48894340 ba02000000 8b4328 2b4320 }
            // n = 7, score = 100
            //   7437                 | test                ebx, ebx
            //   488b4320             | jle                 0x403
            //   488d4b30             | mov                 eax, 0x10624dd3
            //   48894340             | imul                ebx
            //   ba02000000           | sar                 edx, 6
            //   8b4328               | mov                 eax, edx
            //   2b4320               | test                ebx, ebx

        $sequence_3 = { 488b4008 4889442430 488b442430 488b4c2428 488908 488b442428 488b4c2430 }
            // n = 7, score = 100
            //   488b4008             | lea                 ecx, [esp + 0x20]
            //   4889442430           | inc                 esp
            //   488b442430           | mov                 eax, ebp
            //   488b4c2428           | xor                 edx, edx
            //   488908               | dec                 eax
            //   488b442428           | mov                 edi, edx
            //   488b4c2430           | dec                 eax

        $sequence_4 = { 48ff4308 4883fa02 7ce9 4883c420 5b c3 48895c2408 }
            // n = 7, score = 100
            //   48ff4308             | mov                 edi, ecx
            //   4883fa02             | lea                 ecx, [eax*2 + 2]
            //   7ce9                 | push                edi
            //   4883c420             | dec                 eax
            //   5b                   | sub                 esp, 0x20
            //   c3                   | dec                 eax
            //   48895c2408           | mov                 edi, edx

        $sequence_5 = { 4157 488bec 4883ec50 33ff 488d5548 488bf1 48897d50 }
            // n = 7, score = 100
            //   4157                 | mov                 eax, dword ptr [eax + 8]
            //   488bec               | dec                 eax
            //   4883ec50             | mov                 dword ptr [esp + 0x40], eax
            //   33ff                 | dec                 eax
            //   488d5548             | mov                 eax, dword ptr [esp + 0x60]
            //   488bf1               | dec                 eax
            //   48897d50             | mov                 eax, dword ptr [eax + 0x10]

        $sequence_6 = { 8bc1 4123c4 c1e908 0bd8 4123cc 0fb64707 c1e308 }
            // n = 7, score = 100
            //   8bc1                 | inc                 esp
            //   4123c4               | lea                 ebx, [esi + 1]
            //   c1e908               | inc                 ecx
            //   0bd8                 | cmp                 eax, ebx
            //   4123cc               | jne                 0x1fa3
            //   0fb64707             | inc                 esp
            //   c1e308               | mov                 edx, dword ptr [esp + 0x3c]

        $sequence_7 = { ff15???????? 488b0d???????? 4c8bc6 33d2 ff15???????? 4c8d9c24a0000000 33c0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4c8bc6               | lea                 edx, [ebp - 0x30]
            //   33d2                 | or                  edx, ecx
            //   ff15????????         |                     
            //   4c8d9c24a0000000     | dec                 eax
            //   33c0                 | lea                 ecx, [ebx + 0xd8]

        $sequence_8 = { 448bc6 33d2 498bcc ff15???????? 85c0 7438 4885ed }
            // n = 7, score = 100
            //   448bc6               | mov                 eax, dword ptr [ecx]
            //   33d2                 | call                dword ptr [eax + 0x10]
            //   498bcc               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, dword ptr [edi]
            //   7438                 | dec                 eax
            //   4885ed               | mov                 edx, dword ptr [edx]

        $sequence_9 = { 418bf3 899424c0000000 448bc1 83f811 7d41 488d0d6bc00100 8b4481fc }
            // n = 7, score = 100
            //   418bf3               | dec                 eax
            //   899424c0000000       | sub                 esp, 0x28
            //   448bc1               | dec                 eax
            //   83f811               | lea                 edx, [0x34418]
            //   7d41                 | dec                 eax
            //   488d0d6bc00100       | mov                 ecx, dword ptr [esp + 0x30]
            //   8b4481fc             | mov                 eax, dword ptr [eax]

    condition:
        7 of them and filesize < 606208
}
Download all Yara Rules