MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f
SHA3-384 hash: c61fa2b9d6ab4e9fe881b8d00e4a44fb1456a3923e0148419fddc3faf8f93ac4c2f609fe9a66c976788b45b4d3b433b3
SHA1 hash: 3fb1245a7e12656d0a4436dd798a735afb85096c
MD5 hash: abaca0a162b9d6d3d3a3122a02eb1a96
humanhash: avocado-pasta-south-carpet
File name:dBKUxeI.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:7'168 bytes
First seen:2025-03-15 12:44:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6a07754ebbeb019fc79e3e02bb654c0 (2 x DarkVisionRAT)
ssdeep 96:+XPDA9XYCm7kxnGfyrOr3xnPEwC11nI+QCImZOosYQ:+7AmQxxyVnr0C4tsY
TLSH T1DEE1FE52DADA51B9C62F10FB9FB9919E7171F0F046E2602253A40F363FA9870721C38D
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:AsyncRAT DarkVisionRAT exe


Avatar
iamaachum
http://176.113.115.7/files/1087989943/dBKUxeI.exe

AsyncRAT C2: 213.209.150.19:22001

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
dBKUxeI.exe
Verdict:
Malicious activity
Analysis date:
2025-03-15 12:21:26 UTC
Tags:
xor-url generic autorun-reg arch-exec darkvision remote loader rat asyncrat
Link:
https://app.any.run/tasks/54127f80-e76f-4a62-bae6-61f267d978d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d580c03962f1a6f471a02f
Tags:
phishing shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug exploit fingerprint obfuscated packed tiny_c_compiler xor-url xor-url
Link:
https://www.filescan.io/uploads/67d5766a0a7899f357974a8f/reports/c81234a9-a16a-4b4b-b7cf-1f5e51b46af2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d86e4d49-e77d-41ec-95e3-5a96838b54f3
Result
Threat name:
AsyncRAT, DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639377
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639377 Sample: dBKUxeI.exe Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 115 st58250.ispot.cc 2->115 117 grabify.link 2->117 119 5 other IPs or domains 2->119 137 Suricata IDS alerts for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 13 other signatures 2->143 11 dBKUxeI.exe 26 2->11         started        16 explorer.exe 2->16         started        18 explorer.exe 2->18         started        20 explorer.exe 2->20         started        signatures3 process4 dnsIp5 131 st58250.ispot.cc 64.20.39.162, 49722, 49723, 80 IS-AS-1US United States 11->131 133 107.174.192.179, 58492, 58499, 80 AS-COLOCROSSINGUS United States 11->133 109 C:\Users\user\AppData\Local\...\wwfcx.zip, Zip 11->109 dropped 111 C:\Users\user\AppData\Local\...\h2wb5_002.zip, Zip 11->111 dropped 113 C:\Users\user\AppData\Local\...\backup.zip, Zip 11->113 dropped 211 Suspicious powershell command line found 11->211 22 h2wb5_002.exe 11->22         started        25 EwPhcnks.exe 2 10 11->25         started        28 wwfcx.exe 11->28         started        34 3 other processes 11->34 213 System process connects to network (likely due to code injection or exploit) 16->213 215 Query firmware table information (likely to detect VMs) 16->215 30 WerFault.exe 16->30         started        135 a-0003.a-msedge.net 204.79.197.203, 443, 58495, 58528 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->135 32 WerFault.exe 18->32         started        file6 signatures7 process8 file9 155 Multi AV Scanner detection for dropped file 22->155 157 Query firmware table information (likely to detect VMs) 22->157 159 Adds a directory exclusion to Windows Defender 22->159 179 3 other signatures 22->179 36 svchost.exe 22->36         started        41 cmd.exe 22->41         started        91 C:\Users\user\qeGjIVmFrf\vsgraphicscore.dll, PE32+ 25->91 dropped 93 C:\Users\user\qeGjIVmFrf\vcruntime227.dll, PE32+ 25->93 dropped 95 C:\Users\user\qeGjIVmFrf\vcruntime140_1.dll, PE32+ 25->95 dropped 103 5 other malicious files 25->103 dropped 161 Changes memory attributes in foreign processes to executable or writable 25->161 163 Creates multiple autostart registry keys 25->163 165 Contains functionality to inject threads in other processes 25->165 167 Creates a thread in another existing process (thread injection) 25->167 43 explorer.exe 14 9 25->43 injected 97 C:\Users\user\zHOjJOnRQc\wwfcx.exe, PE32+ 28->97 dropped 99 C:\Users\user\zHOjJOnRQc\vsgraphicscore.dll, PE32+ 28->99 dropped 101 C:\Users\user\zHOjJOnRQc\vcruntime219.dll, PE32+ 28->101 dropped 105 5 other malicious files 28->105 dropped 169 Injects code into the Windows Explorer (explorer.exe) 28->169 171 Writes to foreign memory regions 28->171 173 Allocates memory in foreign processes 28->173 107 17 other malicious files 34->107 dropped 175 Loading BitLocker PowerShell Module 34->175 177 Powershell drops PE file 34->177 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        51 conhost.exe 34->51         started        signatures10 process11 dnsIp12 121 82.29.67.160, 443, 58498, 58500 NTLGB United Kingdom 36->121 123 grabify.link 172.67.68.246, 443, 58496, 58497 CLOUDFLARENETUS United States 36->123 83 C:\Users\user\AppData\Local\Temp\...\dbs.exe, PE32+ 36->83 dropped 85 C:\ProgramData\...\dbs.exe, PE32+ 36->85 dropped 87 C:\ProgramData\...\rs.bat, PNG 36->87 dropped 181 Benign windows process drops PE files 36->181 183 Creates autostart registry keys with suspicious names 36->183 185 Creates multiple autostart registry keys 36->185 53 dbs.exe 36->53         started        58 dbs.exe 36->58         started        60 cmd.exe 36->60         started        187 Adds a directory exclusion to Windows Defender 41->187 62 powershell.exe 41->62         started        64 conhost.exe 41->64         started        125 213.209.150.19, 22001, 49724 KEMINETAL Germany 43->125 189 System process connects to network (likely due to code injection or exploit) 43->189 191 Found many strings related to Crypto-Wallets (likely being stolen) 43->191 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->193 66 cmd.exe 43->66         started        file13 signatures14 process15 dnsIp16 127 104.168.28.10, 58503, 58506, 58509 AS-COLOCROSSINGUS United States 53->127 129 127.0.0.1 unknown unknown 53->129 89 C:\Windows\Temp\8FXaaR_4676.sys, PE32+ 53->89 dropped 195 Multi AV Scanner detection for dropped file 53->195 197 Detected unpacking (creates a PE file in dynamic memory) 53->197 199 Query firmware table information (likely to detect VMs) 53->199 201 Sample is not signed and drops a device driver 53->201 68 powershell.exe 53->68         started        71 powershell.exe 53->71         started        203 Tries to evade analysis by execution special instruction (VM detection) 58->203 205 Found direct / indirect Syscall (likely to bypass EDR) 58->205 73 conhost.exe 60->73         started        207 Loading BitLocker PowerShell Module 62->207 209 Adds a directory exclusion to Windows Defender 66->209 75 EwPhcnks.exe 66->75         started        77 conhost.exe 66->77         started        file17 signatures18 process19 signatures20 145 Loading BitLocker PowerShell Module 68->145 79 conhost.exe 68->79         started        81 conhost.exe 71->81         started        147 Changes memory attributes in foreign processes to executable or writable 75->147 149 Contains functionality to inject threads in other processes 75->149 151 Injects code into the Windows Explorer (explorer.exe) 75->151 153 3 other signatures 75->153 process21
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f/
Threat name:
Win32.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 12:21:26 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzp4gbfwkjitzhaqw2jzek2m6elu4xgf5tageqpdukdeph5ytipq._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery execution persistence rat spyware
Link:
https://tria.ge/reports/250315-py47wstxgx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
213.209.150.19:22001
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/553d8b9a-b2d3-4ad1-bf8f-f5ebf8f5c33c
Unpacked files
SH256 hash:
1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f
MD5 hash:
abaca0a162b9d6d3d3a3122a02eb1a96
SHA1 hash:
3fb1245a7e12656d0a4436dd798a735afb85096c
Link:
https://www.unpac.me/results/b2f6e4f7-ac5f-4141-ad43-1b569afad3f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe 1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f

(this sample)

  
Link
https://tria.ge/250315-pdmr4swr15/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
shell32.dll::SHFileOperationA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::DeleteFileA
kernel32.dll::FindFirstFileA
kernel32.dll::RemoveDirectoryA
kernel32.dll::GetTempPathA

Comments