MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620
SHA3-384 hash: abdbf38b4b20b922d4625c3c3015154063397defa7d0d3b97440b4b85821417fe734d48fd6e75770ec97cf064132fdd8
SHA1 hash: 45f228e320d6a26e40382644ce57533d47ea068d
MD5 hash: 4975c77bca0f1e0e12cfab66b9f0a44f
humanhash: papa-dakota-summer-summer
File name:kdgXbnm.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:2'289'032 bytes
First seen:2026-01-10 14:18:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 815e1ba56e855b07daa7197697b159cd (2 x DarkVisionRAT)
ssdeep 49152:aOBIFnoZgBWKB9BTMrVNQAYIIadoPwi9BFuY7lxjjaFMMsWpiQ+Osx545Ghw+Llz:Zgoab9BTMRqAtdoPwiLjWvFpIOsU5GWc
TLSH T12FB5237AEEDD8536D948C3344A9BB2997027B312FF3708D31750ECA18C9AB1245B19ED
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:DarkVisionRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8ce105d7-3c15-4eca-beec-3164851ef949/
Malware family:
n/a
ID:
1
File name:
kdgXbnm.exe
Verdict:
Malicious activity
Analysis date:
2026-01-10 14:19:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1980d7ba-3d34-4ed5-9732-41590d0159bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48483/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69625fb19922425f92ff9e93
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packed signed vmprotect
Link:
https://www.filescan.io/uploads/69625fafd1d688e1d664b000/reports/305fd599-a0f2-4331-b7a1-97cd21809d9b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-10T10:03:00Z UTC
Last seen:
2026-01-10T12:17:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.xcbxdu Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ef5a47f7-e5eb-462d-873d-5a564913b18a
Result
Threat name:
DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1847991
Signature
Adds a directory exclusion to Windows Defender
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates autostart registry keys with suspicious names
Deletes itself after installation
Early bird code injection technique detected
Enables network access during safeboot for specific services
Found direct / indirect Syscall (likely to bypass EDR)
Found driver which could be used to inject code into processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Registers a service to start in safe boot mode
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected DarkVision Rat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1847991 Sample: kdgXbnm.exe Startdate: 10/01/2026 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 9 other signatures 2->92 10 kdgXbnm.exe 2->10         started        process3 signatures4 104 Early bird code injection technique detected 10->104 106 Maps a DLL or memory area into another process 10->106 108 Queues an APC in another process (thread injection) 10->108 110 Found direct / indirect Syscall (likely to bypass EDR) 10->110 13 svchost.exe 1 10->13         started        process5 dnsIp6 82 23.95.245.178 AS-COLOCROSSINGUS United States 13->82 84 127.0.0.1 unknown unknown 13->84 72 C:\Users\user\AppData\Local\...\a39rvp2.exe, PE32 13->72 dropped 122 Benign windows process drops PE files 13->122 124 Early bird code injection technique detected 13->124 126 Deletes itself after installation 13->126 128 4 other signatures 13->128 18 a39rvp2.exe 13->18         started        20 svchost.exe 13->20         started        22 svchost.exe 13->22         started        24 svchost.exe 13->24         started        file7 signatures8 process9 process10 26 a39rvp2.exe 108 18->26         started        30 svchost.exe 7 4 20->30         started        32 svchost.exe 22->32         started        34 svchost.exe 24->34         started        dnsIp11 62 C:\Users\user\AppData\Local\Temp\...\klsl.sys, PE32+ 26->62 dropped 64 C:\Users\user\AppData\Local\Temp\...\klmd.sys, PE32+ 26->64 dropped 66 C:\Users\user\AppData\Local\...\013917f8.exe, PE32 26->66 dropped 70 81 other files (1 malicious) 26->70 dropped 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->112 114 Sample is not signed and drops a device driver 26->114 37 013917f8.exe 39 46 26->37         started        68 C:\Windows\Temp\agnSM4zp_3620.sys, PE32+ 30->68 dropped 116 Adds a directory exclusion to Windows Defender 30->116 42 powershell.exe 23 30->42         started        44 powershell.exe 23 30->44         started        118 Early bird code injection technique detected 32->118 120 Maps a DLL or memory area into another process 32->120 46 WerFault.exe 32->46         started        74 172.67.155.114 CLOUDFLARENETUS United States 34->74 file12 signatures13 process14 dnsIp15 76 80.239.169.154 TELIANETTeliaCarrierEU European Union 37->76 78 81.19.104.172 NTT-COMMUNICATIONS-2914US Spain 37->78 80 9 other IPs or domains 37->80 54 C:\...\klupd_fea6456ea_arkmon.sys, PE32+ 37->54 dropped 56 0d23a108-9973-49aa-bdaa-ed9509fca735.cmd, DOS 37->56 dropped 58 C:\Windows\...\klupd_fea6456ea_klbg.sys, PE32+ 37->58 dropped 60 25 other files (none is malicious) 37->60 dropped 94 Query firmware table information (likely to detect VMs) 37->94 96 Creates autostart registry keys with suspicious names 37->96 98 Tries to harvest and steal browser information (history, passwords, etc) 37->98 102 6 other signatures 37->102 100 Loading BitLocker PowerShell Module 42->100 48 conhost.exe 42->48         started        50 WmiPrvSE.exe 42->50         started        52 conhost.exe 44->52         started        file16 signatures17 process18
Score:
70%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4975c77bca0f1e0e12cfab66b9f0a44f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fr2u6yokermgug7h6hfde5xajqd23j3wk2lgsbamvcktxnxmuyqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/260110-rmgzbsbw7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53b3403c-944b-4619-a3b0-c63746f20c03
Unpacked files
SH256 hash:
2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620
MD5 hash:
4975c77bca0f1e0e12cfab66b9f0a44f
SHA1 hash:
45f228e320d6a26e40382644ce57533d47ea068d
Link:
https://www.unpac.me/results/e8180a40-2655-4d9d-81ab-d982995ad18f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe 2c754f61ca24586a1be7f1ca3276e04c07ada776569669040ca8953bb6eca620

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3754136/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/48483/

Comments