MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
SHA3-384 hash: d3feae67ba5c7cd3483741dcc89cece44f7755e5a40a83a7efeb04710159e1eb8e0e769f937cf16237e213cff935a7f0
SHA1 hash: 273bae25f98866860ce487489f0f70fe629ebb84
MD5 hash: 72f5e1e0b27f9e73ca9eeac17d894211
humanhash: early-jersey-low-bravo
File name:SecuriteInfo.com.BackDoor.XenoRatNET.11.28123.29060
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:1'060'864 bytes
First seen:2025-09-24 16:30:14 UTC
Last seen:2025-10-07 04:16:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:vQpVF/tEd/awJTeYgPkzRQpVF/tEd/awJTeYgPkz:vQpVBtEdSSTeYgsRQpVBtEdSSTeYgs
TLSH T1E035DFD46B2BF626F87A6F31D2D3465C2CE571DAE913280C963D183410FB1A8DE76C62
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:DarkVisionRAT exe

Intelligence

File Origin
# of uploads :
51
# of downloads :
78
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584.exe
Verdict:
Malicious activity
Analysis date:
2025-09-24 16:05:46 UTC
Tags:
auto-reg darkvision rat
Link:
https://app.any.run/tasks/be3d5d9d-6207-4113-a151-41fc2bdb3c87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28862/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d548021e4783989051df8d
Tags:
dropper trojan virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Creating a process with a hidden window
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68d41f353cbcc188f8eb3475/reports/a64b55fa-7106-41d6-b121-a166307e36e1/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-24T14:06:00Z UTC
Last seen:
2025-09-24T14:06:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.BypassUAC.sb HEUR:Trojan.MSIL.Quasar.gen HEUR:Backdoor.Win32.Androm.gen Backdoor.Win32.Androm Trojan-Dropper.Win32.Injector.sb Trojan.Inject.TCP.ServerRequest Trojan.Agent.TCP.ServerRequest VHO:Backdoor.Win32.Androm.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584/results?tab=lookup
Malware family:
DarkVision RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50c9e108-abfb-4336-afbc-a73a75b7d70c
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86
Link:
https://app.malva.re/file/72f5e1e0b27f9e73ca9eeac17d894211
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584/
Verdict:
Malicious
Threat:
Family.DARKVISION
Link:
https://tip.neiki.dev/file/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 16:05:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hticxjcssijynwsulhv262ta6c6nnvt7gglase7dt5eg2e7bgwca._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
Similar samples:
error
DarkVisionRAT
Result
Malware family:
darkvision
Create hunting rule
Score:
  10/10
Tags:
family:darkvision discovery persistence rat
Link:
https://tria.ge/reports/250924-t4p3dabj4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
DarkVision Rat
Darkvision family
Malware Config
C2 Extraction:
31.57.38.89
Verdict:
Malicious
Tags:
DarkVision_RAT
YARA:
n/a
Link:
https://app.threat.zone/submission/1a2722b6-7f8f-4629-b8d0-af4f1e78c19b
Unpacked files
SH256 hash:
3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
MD5 hash:
72f5e1e0b27f9e73ca9eeac17d894211
SHA1 hash:
273bae25f98866860ce487489f0f70fe629ebb84
Link:
https://www.unpac.me/results/e18472e3-3382-49ab-9aa6-948c0eac286f/
SH256 hash:
d4288fa6b44a7c14fd4ddfec630f1f1721bc2afa86a249841b40a329d1b7c3b3
MD5 hash:
1812da398cb164aa087464d193100e4e
SHA1 hash:
3c71deb91e1af638aadc009298bed9fbc1a5a2ac
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/e18472e3-3382-49ab-9aa6-948c0eac286f/
Parent samples :
3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584
30dedfc41533f3858b2fa2bccc62c02c996b316d27aa07655fd7a9488d0331ce
Malware family:
Darkvision RAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cd02ba45292/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:darkVision
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked darkVision malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Base64_Xor_Implementation
Create hunting rule
Author:Jonathan Peters (cod3nym)
Description:Detects .NET applications implementing xor encryption/decryption for Base64 strings
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe 3cd02ba452921386da5459ebaf6a60f0bcd6d67f31960913e39f486d13e13584

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/28862/
  
URLhaus
https://urlhaus.abuse.ch/url/3630967/
  
Delivery method
Distributed via web download

Comments