DarkVNC (Malware Family)

DarkVNC

There is no description at this point.
References

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2017-11-08 ⋅ Reaqta ⋅ Reaqta
A short journey into DarkVNC attack chain
DarkVNC
Yara Rules

[TLP:WHITE] win_darkvnc_auto (20220808 | Detects win.darkvnc.)
rule win_darkvnc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.darkvnc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 415e 5f c3 6689542410 53 4883ec20 488b4108 }
            // n = 7, score = 100
            //   415e                 | dec                 eax
            //   5f                   | sub                 esp, 0x38
            //   c3                   | mov                 dword ptr [esp + 0x28], 0
            //   6689542410           | mov                 dword ptr [esp + 0x24], 3
            //   53                   | mov                 eax, dword ptr [esp + 0x24]
            //   4883ec20             | dec                 eax
            //   488b4108             | shl                 eax, 3

        $sequence_1 = { 8b9050010000 ff15???????? eb08 488bac24a8000000 8bd6 488bcf e8???????? }
            // n = 7, score = 100
            //   8b9050010000         | movzx               eax, dl
            //   ff15????????         |                     
            //   eb08                 | inc                 edx
            //   488bac24a8000000     | movzx               eax, byte ptr [eax + ebx + 0x37900]
            //   8bd6                 | add                 word ptr [ebx + eax*4 + 0x4b8], si
            //   488bcf               | mov                 eax, 0xffff
            //   e8????????           |                     

        $sequence_2 = { 0f8513010000 8d51ef 488bcf ff15???????? b90000cf80 4885c1 0f84f9000000 }
            // n = 7, score = 100
            //   0f8513010000         | add                 eax, esi
            //   8d51ef               | dec                 ebp
            //   488bcf               | add                 eax, eax
            //   ff15????????         |                     
            //   b90000cf80           | inc                 esp
            //   4885c1               | mov                 eax, dword ptr [ebp + 0x730]
            //   0f84f9000000         | dec                 esp

        $sequence_3 = { 8bce 418bc7 488bb5b8070000 410fafc6 4803c8 4803f1 488d3c11 }
            // n = 7, score = 100
            //   8bce                 | jne                 0x251
            //   418bc7               | mov                 edx, 3
            //   488bb5b8070000       | dec                 eax
            //   410fafc6             | mov                 ecx, ebx
            //   4803c8               | dec                 eax
            //   4803f1               | mov                 ebx, eax
            //   488d3c11             | dec                 eax

        $sequence_4 = { 4c8bac24b0000000 4d8bcd 4d3bee 7378 442bc7 4c63e7 4d63d8 }
            // n = 7, score = 100
            //   4c8bac24b0000000     | mov                 dword ptr [esp + 0x64], 0xd585d7c0
            //   4d8bcd               | inc                 esp
            //   4d3bee               | lea                 eax, [esi + 0x20]
            //   7378                 | dec                 eax
            //   442bc7               | lea                 ecx, [ebp + 0x50]
            //   4c63e7               | mov                 dl, 0x24
            //   4d63d8               | inc                 ecx

        $sequence_5 = { 4881ec40020000 4963f0 4c8bf2 488be9 33db 215c2430 488d4c2438 }
            // n = 7, score = 100
            //   4881ec40020000       | dec                 eax
            //   4963f0               | mov                 ecx, dword ptr [esp + 0x48]
            //   4c8bf2               | dec                 eax
            //   488be9               | mov                 eax, dword ptr [esp + 0x40]
            //   33db                 | dec                 eax
            //   215c2430             | add                 eax, 0x20
            //   488d4c2438           | inc                 cx

        $sequence_6 = { 41b850020000 33db e8???????? 488bce ff15???????? 488b0d???????? 33d2 }
            // n = 7, score = 100
            //   41b850020000         | mov                 byte ptr [esp + 0x33], al
            //   33db                 | dec                 eax
            //   e8????????           |                     
            //   488bce               | mov                 dword ptr [esp + 0x28], eax
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   33d2                 | xor                 ecx, ecx

        $sequence_7 = { 48897018 57 4881ece0000000 488bf2 488be9 33db 488d4890 }
            // n = 7, score = 100
            //   48897018             | mov                 ecx, edx
            //   57                   | dec                 esp
            //   4881ece0000000       | mov                 esi, edx
            //   488bf2               | je                  0xc5c
            //   488be9               | dec                 eax
            //   33db                 | lea                 eax, [0x1b60a]
            //   488d4890             | inc                 ebp

        $sequence_8 = { ffc0 4c63c0 ff15???????? 488bf8 4885c0 0f849d000000 4963c4 }
            // n = 7, score = 100
            //   ffc0                 | test                edi, edi
            //   4c63c0               | je                  0x1b89
            //   ff15????????         |                     
            //   488bf8               | lea                 ecx, [eax*2 + 2]
            //   4885c0               | dec                 eax
            //   0f849d000000         | mov                 ebx, eax
            //   4963c4               | dec                 eax

        $sequence_9 = { a804 740d c644245280 c68424e500000080 0fb6c3 4c8bc6 0fb6db }
            // n = 7, score = 100
            //   a804                 | mov                 ebx, dword ptr [ebp + 0x7f]
            //   740d                 | mov                 eax, dword ptr [ebx]
            //   c644245280           | cmp                 dword ptr [esp + 0x3c], eax
            //   c68424e500000080     | ret                 
            //   0fb6c3               | mov                 edx, 2
            //   4c8bc6               | dec                 eax
            //   0fb6db               | mov                 ecx, edi

    condition:
        7 of them and filesize < 606208
}
Download all Yara Rules
DarkVNC Propose Change

References

Yara Rules

DarkVNC
