SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkvnc (Back to overview)

DarkVNC

VTCollection    

According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.

References
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-07-27SANS ISCBrad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2017-11-08ReaqtaReaqta
A short journey into DarkVNC attack chain
DarkVNC
Yara Rules
[TLP:WHITE] win_darkvnc_auto (20230808 | Detects win.darkvnc.)
rule win_darkvnc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.darkvnc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e904 4103ce 446bc11f 48634b28 418bd0 c1ea08 881401 }
            // n = 7, score = 100
            //   c1e904               | mov                 dword ptr [esp + 0x40], 0xcc0020
            //   4103ce               | mov                 dword ptr [esp + 0x38], 0
            //   446bc11f             | mov                 dword ptr [esp + 0x30], 0
            //   48634b28             | dec                 eax
            //   418bd0               | mov                 edx, dword ptr [esp + 0x50]
            //   c1ea08               | dec                 eax
            //   881401               | mov                 edx, dword ptr [edx + 0x10]

        $sequence_1 = { 488b4c2438 894148 c744244001000000 4c8b8c24a0000000 4c8b842498000000 8b942490000000 33c9 }
            // n = 7, score = 100
            //   488b4c2438           | mov                 eax, edi
            //   894148               | xor                 edx, edx
            //   c744244001000000     | dec                 eax
            //   4c8b8c24a0000000     | lea                 edx, [0x64c9]
            //   4c8b842498000000     | dec                 eax
            //   8b942490000000       | lea                 ecx, [ebp + 0x170]
            //   33c9                 | dec                 ecx

        $sequence_2 = { 418bca d1e9 03c1 8a4d0c 99 41f7fa d3e0 }
            // n = 7, score = 100
            //   418bca               | mov                 dword ptr [esp + 0x48], ebx
            //   d1e9                 | lea                 eax, [ebx + 1]
            //   03c1                 | dec                 eax
            //   8a4d0c               | mov                 dword ptr [esp + 0x40], ebx
            //   99                   | inc                 ebp
            //   41f7fa               | xor                 eax, eax
            //   d3e0                 | dec                 eax

        $sequence_3 = { 41f7fb d2e0 41880432 49ffc2 4c3bd3 7ce5 488b5c2408 }
            // n = 7, score = 100
            //   41f7fb               | mov                 dword ptr [esp + 0x10], edx
            //   d2e0                 | dec                 eax
            //   41880432             | mov                 dword ptr [esp + 8], ecx
            //   49ffc2               | dec                 eax
            //   4c3bd3               | sub                 esp, 0x38
            //   7ce5                 | dec                 eax
            //   488b5c2408           | mov                 eax, dword ptr [esp + 0x48]

        $sequence_4 = { 668944244c 488d4c2440 e8???????? 668944244e c744244400000000 eb0a 8b442444 }
            // n = 7, score = 100
            //   668944244c           | je                  0xdea
            //   488d4c2440           | inc                 ecx
            //   e8????????           |                     
            //   668944244e           | inc                 esp
            //   c744244400000000     | dec                 ecx
            //   eb0a                 | mov                 ecx, edi
            //   8b442444             | dec                 ecx

        $sequence_5 = { 418bc8 44888438d8000000 458d5801 44019fd8000100 418bc5 410fafc4 44899c24c0040000 }
            // n = 7, score = 100
            //   418bc8               | dec                 esp
            //   44888438d8000000     | lea                 eax, [esp + 0x50]
            //   458d5801             | dec                 eax
            //   44019fd8000100       | mov                 edx, dword ptr [esp + 0x48]
            //   418bc5               | dec                 eax
            //   410fafc4             | mov                 ecx, dword ptr [esp + 0x80]
            //   44899c24c0040000     | mov                 dword ptr [esp + 0x40], eax

        $sequence_6 = { ff15???????? 33d2 b903000000 f7f1 89442428 c744242400000000 ba09000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   33d2                 | cmp                 eax, esi
            //   b903000000           | inc                 ecx
            //   f7f1                 | movzx               ecx, word ptr [edi + 6]
            //   89442428             | dec                 eax
            //   c744242400000000     | lea                 edx, [0x136bc]
            //   ba09000000           | inc                 ebp

        $sequence_7 = { eb0c 498b4770 4b8d0c76 4c8d2cc8 4d85ed 750a bb27030980 }
            // n = 7, score = 100
            //   eb0c                 | sub                 edx, 0xb
            //   498b4770             | lea                 eax, [ecx + 7]
            //   4b8d0c76             | inc                 cx
            //   4c8d2cc8             | shl                 edx, cl
            //   4d85ed               | inc                 bp
            //   750a                 | or                  dword ptr [ecx + 0x1708], edx
            //   bb27030980           | inc                 ecx

        $sequence_8 = { 8d5808 e9???????? 488b4c2460 488d85b0000000 4533c0 4889442420 4d8bcf }
            // n = 7, score = 100
            //   8d5808               | mov                 byte ptr [esp + 0x42], dl
            //   e9????????           |                     
            //   488b4c2460           | xor                 edx, edx
            //   488d85b0000000       | shl                 cl, 7
            //   4533c0               | mov                 byte ptr [esp + 0x40], cl
            //   4889442420           | mov                 cl, dl
            //   4d8bcf               | and                 cl, 0xfe

        $sequence_9 = { 4d85e4 7416 498bcf e8???????? 0c80 488bcd 8ad0 }
            // n = 7, score = 100
            //   4d85e4               | mov                 ecx, ebp
            //   7416                 | dec                 ecx
            //   498bcf               | mov                 edi, ebp
            //   e8????????           |                     
            //   0c80                 | dec                 esp
            //   488bcd               | mov                 esp, eax
            //   8ad0                 | je                  0x105c

    condition:
        7 of them and filesize < 606208
}
Download all Yara Rules