(Talos) DarkVNC attempts to connect to the C2 server using the TCP port 8080, likely to be less suspicious as this is one of the default ports for connections to HTTP proxies.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|---|
| 20.211.121.138:9982 | 2023-10-13 |
| 2.152.208.135:5500 | 2023-08-14 |
| 137.74.104.108:443 | 2022-11-01 |
| 212.114.52.91:8080 | 2022-12-15 |
| 135.181.175.108:8080 | 2022-12-15 |
| 91.238.50.80:8080 | 2022-06-29 |
| Domain | Timestamp |
|---|---|
| aimtech.ddns.net | 2023-08-14 |
| URL | Timestamp |
|---|
2022-08-12 by Brad Duncan from SANS ISC
2022-07-27 by Brad Duncan from SANS ISC
2017-11-08 by Reaqta from Reaqta
Tool: DarkVNC
Names: DarkVNC
Description: (Talos) DarkVNC attempts to connect to the C2 server using the TCP port 8080, likely to be less suspicious as this is one of the default ports for connections to HTTP proxies.
Category: Malware
Type: Backdoor
Information: https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc
Last-card-change: 2022-12-27
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |