Technical Analysis of DarkVision RAT

    Date: 10/14/2024

    Severity: Medium

    Summary

    DarkVision RAT, a customizable remote access trojan first identified in 2020, is known for its low cost and extensive capabilities, including keylogging, screenshot capture, file manipulation, and password theft. Written in C/C++ and assembly, it has become popular among cybercriminals, including those with minimal skills. In July 2024, its use was noted alongside PureCrypter in various attacks. This analysis will explore the RAT's functionality, detailing its core features, network communication protocols, commands, and plugins, as well as the attack chain associated with its infections.

    Indicators of Compromise (IOC) List

    URL/Domain

    nasyiahgamping.com/yknoahdrv.exe

    severdops.ddns.net

    Hash

    cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d
    
    6e3346d47044d6df85a07aeda745d88f9cd46b20d22028d231add555bf00bf41
    
    27ccb9f336282e591e44c65841f1b5bc7f495e8561349977680161e76857be5d
    
    7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "severdops.ddns.net" or url like "severdops.ddns.net" or userdomainname like "nasyiahgamping.com/yknoahdrv.exe" or url like "nasyiahgamping.com/yknoahdrv.exe"

    Detection Query 2

    sha256hash IN ("cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d","6e3346d47044d6df85a07aeda745d88f9cd46b20d22028d231add555bf00bf41","27ccb9f336282e591e44c65841f1b5bc7f495e8561349977680161e76857be5d","7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617")

    Reference: 

    https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat#indicators-of-compromise--iocs- 


    Tags

    MalwareRATKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags