MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkVisionRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de
SHA3-384 hash:	8f773ec11ac4aa57fb213e6b5b21f59bdcca5f00bed99393d41d452ef0cd1c0dda0bb3bbfe74573df4a7166d599a24f4
SHA1 hash:	d55dd2b72c39ab7d9f8a5d6f3bf715ffd44f9dde
MD5 hash:	399de6b6b88b678ffa3b0bdf92c82c72
humanhash:	low-mockingbird-alpha-orange
File name:	SecuriteInfo.com.Win64.Evo-gen.46982333
Download:	download sample
Signature	DarkVisionRAT Create hunting rule
File size:	1'922'560 bytes
First seen:	2025-11-16 20:39:55 UTC
Last seen:	2025-11-16 21:18:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	679877ea45ff38e48e48875d525bcbb1 (12 x DarkVisionRAT)
ssdeep	24576:0pUorQka47zWKA7T3RZy0CbnOuOu6a5ktX57p9qLrOYC3oTFWK7SBgXYc+/:0ZrsKK7y0Cb/Ia5EX57O04BQBlJ/
TLSH	T164952340258A7077E0A9CFF786426BFFB5243E574C62BC8B3F547A684DF0883199B619
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	DarkVisionRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

m9Gosw4.exe

Verdict:

Malicious activity

Analysis date:

2025-11-16 19:13:14 UTC

Tags:

darkvision remote rat

Link:

https://app.any.run/tasks/dbb7b16d-91bb-41b2-bb26-169ad042d5fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38394/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.46982333.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691a2249bdb0ec3a9dc26f88

Tags:

spawn virus hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Connection attempt

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Creating a file in the Windows subdirectories

Creating a service

Loading a system driver

Forced shutdown of a system process

Connection attempt to an infection source

Enabling autorun for a service

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin obfuscated packed packed vmprotect wscript

Link:

https://www.filescan.io/uploads/691a36c1a130a437f88f21b0/reports/82cfce01-e670-4930-8c8b-9da1cd1d3cca/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-16T16:24:00Z UTC

Last seen:

2025-11-17T10:20:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Strab.zkt Trojan.Inject.TCP.ServerRequest Trojan.Agent.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan.Win64.MalDrv.de Trojan.Win32.Strab.sb Trojan.Win32.Agent.sb Trojan.MSIL.BypassUAC.sb

Link:

https://opentip.kaspersky.com/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f2970758-4aef-4905-96c6-d7f2372a83c4

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/399de6b6b88b678ffa3b0bdf92c82c72

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de/

Verdict:

Malicious

Threat:

Family.DARKVISION

Link:

https://tip.neiki.dev/file/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

Threat name:

Win64.Trojan.Whisperer

Status:

Malicious

First seen:

2025-11-16 19:13:16 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b7n7iktb6i35bhsiajo25a27noqgwzb4zjnllmxhqi7nk7vieppa._file

Result

Malware family:

darkvision

Score:

10/10

Tags:

family:darkvision bootkit defense_evasion discovery execution persistence rat spyware stealer

Link:

https://tria.ge/reports/251116-zf45aasqdr/

Behaviour

Modifies registry key

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Checks for VirtualBox DLLs, possible anti-VM trick

Adds Run key to start application

Checks for any installed AV software in registry

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Sets service image path in registry

DarkVision Rat

Darkvision family

Suspicious use of NtCreateUserProcessOtherParentProcess

Malware Config

C2 Extraction:

23.95.245.178

Verdict:

Malicious

Tags:

DarkVision_RAT

YARA:

n/a

Link:

https://app.threat.zone/submission/cb5863a6-956b-4f84-a053-a3efad5502b8

Unpacked files

SH256 hash:

0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

MD5 hash:

399de6b6b88b678ffa3b0bdf92c82c72

SHA1 hash:

d55dd2b72c39ab7d9f8a5d6f3bf715ffd44f9dde

Link:

https://www.unpac.me/results/ada4eef7-4c2f-48e9-bade-577cc3d34a63/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0fdbf42a61f2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

exe 0fdbf42a61f237d09e48025dae835f6ba06b643cca5ab5b2e7823ed57ea823de

(this sample)

Cape

https://www.capesandbox.com/analysis/38394/

URLhaus

https://urlhaus.abuse.ch/url/3709984/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample