MAL_Dknife_VPN_Client_HA_PROXY_Feb26

Rule Info

Name
MAL_Dknife_VPN_Client_HA_PROXY_Feb26
Author
Pezier Pierre-Henri
Description
Detects customized N2N (a P2P) VPN client component used by DKnife to contact to C2 (remote.bin), reverse proxy server module modified from HAProxy (sslmm.bin), labelling and relay component (postapi.bin), bridged TAP interface (yitiji.bin) and dkupdate (dkupdate)
Score
80
Reference
https://blog.talosintelligence.com/knife-cutting-the-edge/
Date
2026-02-05
Minimum Yara
3.5.0
Rule Hash
c6cb169e8921f764d7311569ea9c0153
Tags
['FILE', 'T1090', 'MAL']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/mal_dknife_vpn_client_ha_proxy_feb26/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
56
Suspicious (< 10 engines)
7
Clean (0 engines)
1

Rule Matches

Timestamp
Positives
Total
Hash
VT
2026-02-17 08:31:55
14
66
34a9beb42323d2a83f4b18f1dee428ba1d36aac6a7dc186cad85f3493d8ebcda
2026-02-17 08:30:50
15
65
29de0ae409830fc41092747116aa2831ec24e1f57873837e704f64dddaa7d150
2026-02-17 08:30:30
16
65
50071e65015215e9758bd2965df4f905f0133e319f5972395c9d3297e0853f26
2026-02-17 08:29:48
13
65
218164137214429e9fd28ced29f26b536be2cb51e8ab60ba1a55a5a02cca6826
2026-02-17 08:29:48
15
65
bbf322136fc7219904f0d56595f52876ba9ef50ca01f22dcb96cbadf324ff03d
2026-02-17 08:29:47
14
66
45e14268531f9fee14bd500d363762453821fad6c08866b69d45f1802a22cf6d
2026-02-17 08:28:35
14
66
a807087dd28ba7b4f03aa43d95081496ed7cc0979ef9bcd7c4e19e60d3b9def0
2026-02-17 08:28:05
14
66
e779a1b92afca64cdb6f406d1fba8f39f489eb483d1347361f4b4b38c9042a86
2026-02-17 08:27:05
14
66
2045f8aaff80ce98937726d451438f8532fe01b7e305d0dd0da7ec00a2493e05
2026-02-17 08:27:04
16
66
a71f8cdf739ab6164608f75178ec45bdb9b47aca8bff17f62597730b0e34152c
2026-02-17 08:25:44
10
54
923cf878a74b0e0a29857818317b87a9fbe6a6b8730bef9a8c5770f158f393c7
2026-02-17 08:25:44
16
66
7b1b12a4ddc3380a64dee15e32d428190d829978d4949d95071ecc6adb4c197e
2026-02-17 08:24:45
14
66
8a547b9fb7b3df68587dcc4c306186e2d463611a9c1d3d867863f094cb9cba3a
2026-02-17 08:23:25
14
66
261e93081335c53d1f42407def63fc2099a9c69a90ce2b61117270dc54928ef3
2026-02-17 08:23:14
14
64
8ff6b766036d752656ab932d5821b3b5f3bcccbae1598baa837488e7dc230585
2026-02-17 08:23:05
14
66
b962e55736698942e58e830c513b8f90cbb1be2e8aa6a96c5a6a64d9c1e89a38
2026-02-17 08:05:04
16
66
6b42a0083a72ba8b7478018c7a938d90a905853b132ed7af12560d74333c4f26
2026-02-17 08:04:25
16
66
d4d1ed04237f1ac5036e4f9b42dfb4d565c09f0d7aad0083a4992b2474051df4
2026-02-17 08:04:18
14
66
a207b3f7ac0dac74e5d713ed6b128fcb7cad7382c0e3cad392317226cf244815
2026-02-17 08:04:16
14
66
c669c137ae24aa94a53fddf75b717899182b9dc3030de838c1a9f7f36bff237d
2026-02-17 08:03:45
11
58
2a5a5ded36d383d97ca3d89269ac787a896009c1af1059f88afbcece7c84c681
2026-02-17 08:03:36
13
65
b564220b61157d51f39c5665961ce679561ea4d4a4d04ff73c233b8a603363ac
2026-02-17 08:03:36
16
66
970146ceab9514f0a32ec5796d99703f87322fe928316066609fbea6a20d37b9
2026-02-17 08:02:54
14
65
b08dce1529c0be93a6cb686dc1f2fa0ffd0c5a6395e2ee4ffb5157045ed45817
2026-02-17 08:02:34
14
66
286dbc74f255427d5bc0c03e906dd9f8ae82074c123f9c2c89d8fb7e3abbcb92
2026-02-17 08:01:09
14
66
412bed4d577c24cf7937b9c31655161a70ceb7e5b865cf117e7c6b7ce3713bd4
2026-02-17 08:00:05
14
66
5b81526d7cee6a68de67d3f7ebe5cc08ca037de26567f7a52bc895b2b43ab16a
2026-02-17 07:59:55
16
65
0dc5bff7e51bbdd6fd708ca475b1e062399c07e9c154fd2fc7b357fb0b16c100
2026-02-17 07:59:07
16
66
d24eda4b6fa801d30c81ce75198b2f5ab0cd122827eada55523fed035a64e730
2026-02-17 07:59:04
16
66
569ca8475525c8f89e1d29ab0713c2eea416d2163ed1b92ac56955d013e74a7f
2026-02-17 07:58:24
14
65
7760c143d0d8abb067f55ebd8074d41a8b34bf11f62e8defed15787e642ee087
2026-02-17 07:58:16
16
66
ccd369be7e800c705d913e3ba35aed1a20e58c3f9f0ae5c53e7c164cea858f52
2026-02-17 07:48:05
13
63
ad406ba22905c43483935bb29684415b63982f49903cbaccd5488726c2a1d7fd
2026-02-17 07:46:56
14
66
6d9f77a29d1b691bded4f3798ceb55dd54ab49a702ecd7230c35cb544ab9201c
2026-02-17 07:46:55
14
65
7657c1528032444caeb65dccb1d490365ee449968813a919cd766a831e63d246
2026-02-17 07:46:55
14
66
2a926d40d82610325fb55f5ec1b722c90f3d21722f384d67912a33ace0a7817a
2026-02-17 07:46:25
14
66
3e0833a094a86b7e86cae661be718d68aafca1d0765e823321ec24eaa86d6c4c
2026-02-17 07:46:25
16
66
d7457eed01fa85328a5d1283240920f198705ac8179936d3d663aaaf0fb352f0
2026-02-17 07:46:25
16
66
75034cf50c743917c78be379497db285d401350ee214816f577b9e1d9348676e
2026-02-17 07:45:24
16
66
c89b04ada6ca917f7aa9de90c07b65f25a4da6ee6d0c6a327819f4b9de772ee5
2026-02-17 07:45:14
16
66
a010defa844105d5555aa509fa92e57ac9c13f5509bb0e6bff07849a3ee91d02
2026-02-17 07:45:04
14
65
8ab0cf8ee28b115b2b85b1767045de66aed5d203871d693371ca3a23b2aa3559
2026-02-17 07:44:25
4
66
5c651b9b64cd5f70015fd71aba2d716cecf80a7042f5a09a0d677c2c5362c6da
2026-02-17 07:44:25
14
65
f1d35cc4cb09ffdf36e9419c83af0b1692932ae161669a76135506f2904c277a
2026-02-17 07:44:14
14
65
13d81c3b94866f7eb04e5a3a7c642a79b19b71a23fffb6a41caf6b6682af31ec
2026-02-17 07:43:36
14
66
c3afe50092a361599b26112d7fda248a4d21fb2fdf19f05560974ca6b3084fcb
2026-02-17 07:43:24
12
58
ed101dfb307cb5a6c3293d7cd722ddae945307c614a364fcb1ffbd2009ad5eb2
2026-02-17 07:42:25
14
66
8b764a6340d9d015e5d9e6d43e4bec57e06697364b945f5ee71797fe7cfcf9e7
2026-02-17 07:41:56
14
66
7425c068536069ce09878bed7d1af71c6d7a4488c812996c98fcd3997de32f73
2026-02-17 07:40:14
16
66
5ef825255bed2e22e8da969a5faf953cf38a3b02136fbfd408fb308dd2931939
2026-02-17 07:38:54
14
65
10b3f97820b5291bb951147b187445d4c78ca229d900d741599ac21d2e211173
2026-02-17 07:38:54
14
66
640a020ea7bfb87515c3328a9d7536666fbf798851e28854a982b58681a8f594
2026-02-17 07:38:45
14
65
e1d49a07c646e5d0698d09a801123e00311ef3ddd4523418f8a27bdc63cb89b6
2026-02-09 23:15:27
19
66
5f09d0a974e215dcb9677792a983f2c0aec03b313987ce848c659894a31f79c5
2026-02-09 10:20:54
0
66
13cac6090f610b4c28afe97500e4d06f17e1c82814807eba3eed6935350d9684
2026-02-06 21:54:46
4
65
247b739f4098bb31bf1899ceb43144ff39a1473d2f696e595ce7cddfcc3ba816
2026-02-06 21:54:45
3
66
58d00cc6552b53da178b121851391e74646d636b171ac7c5cbd9350bcfc02f57
2026-02-06 21:53:46
1
65
b08e83b7467b0ad9d15cab33e21e3db0b5994d918b2c14ca93e6983bd1566085
2026-02-06 21:53:06
10
65
233bdbfadebb532f2730bd965795302bfcd84cb0ccf788c039bac9632b46d957
2026-02-06 21:52:37
3
65
9d592198b73c45f08b76cdd6c45611a7bccf0f13975f02f2dde779590339e5d9
2026-02-06 21:52:37
10
66
5ab86388bab3c67f7fe741a1179c20a90acc638db79077a8be9cd89ea8069741
2026-02-06 21:52:32
2
65
ce0530aae6283fa1f82926603eec1f349606d0325d1f6174273d6d5866982f0b
2026-02-06 21:52:31
2
65
a0a8f441be5740e7ddb7fc5fcf5a4db7c7e743f68cbc85b2f5ed932d0817fc46
2026-02-06 21:52:06
11
66
17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022