Date: 10/14/2024
Severity: Medium
Summary
DarkVision RAT, a customizable remote access trojan first identified in 2020, is known for its low cost and extensive capabilities, including keylogging, screenshot capture, file manipulation, and password theft. Written in C/C++ and assembly, it has become popular among cybercriminals, including those with minimal skills. In July 2024, its use was noted alongside PureCrypter in various attacks. This analysis will explore the RAT's functionality, detailing its core features, network communication protocols, commands, and plugins, as well as the attack chain associated with its infections.
Indicators of Compromise (IOC) List
URL/Domain | nasyiahgamping.com/yknoahdrv.exe severdops.ddns.net |
Hash |
cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d
6e3346d47044d6df85a07aeda745d88f9cd46b20d22028d231add555bf00bf41
27ccb9f336282e591e44c65841f1b5bc7f495e8561349977680161e76857be5d
7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "severdops.ddns.net" or url like "severdops.ddns.net" or userdomainname like "nasyiahgamping.com/yknoahdrv.exe" or url like "nasyiahgamping.com/yknoahdrv.exe" |
Detection Query 2 |
sha256hash IN ("cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d","6e3346d47044d6df85a07aeda745d88f9cd46b20d22028d231add555bf00bf41","27ccb9f336282e591e44c65841f1b5bc7f495e8561349977680161e76857be5d","7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617") |
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat#indicators-of-compromise--iocs-