{
  "name": "DarkVision RAT",
  "slug": "darkvision-rat",
  "description": "DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a multi-stage attack chain using PureCrypter as a loader. DarkVision RAT employs various evasion and privilege escalation techniques, including DLL hijacking and process injection. It communicates with its C2 server using a custom protocol and supports multiple plugins for additional capabilities. The RAT's affordability and extensive feature set make it accessible to low-skilled cybercriminals, posing a significant threat.",
  "published": "2024-10-10T14:05:41+00:00",
  "created_at": "2024-10-10T14:05:41+00:00",
  "modified_at": "2024-10-11T06:10:31+00:00",
  "created_at_opencti": "2024-10-10T14:05:41+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-10",
    "c2 communication",
    "darkvision rat",
    "multi-stage attack",
    "purecrypter",
    "remote access trojan"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:6b6f24af88bd2761",
        "name": "DarkVision RAT",
        "slug": "darkvision-rat"
      },
      {
        "id": "legacy:malware:6303df5151a76c76",
        "name": "PureCrypter",
        "slug": "purecrypter"
      }
    ],
    "attack_patterns": [
      {
        "id": "269fca28-cdea-40b4-ae42-8246ad31a84a",
        "name": "T1125"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "8ed8c69f-39b7-445c-8efb-6d3470064374",
        "name": "T1010"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81",
        "name": "T1123"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "24fce7f6-f946-4b89-afde-c02b62734093",
        "name": "T1529"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ]
  },
  "external_refs": [
    "https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat",
    "https://otx.alienvault.com/pulse/6707fb55cc1b64564533c615"
  ]
}