MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SparkRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1
SHA3-384 hash: 2d9b1cfff9638e613655773eab78c940d248f8a5c20dd31274d84fab65fa2276c5c284fc61b3e8b796ad5178c9801e16
SHA1 hash: 396f4db4affbead9f8ed333d18937d290fa3a777
MD5 hash: e076cfc63a2ce972bf8db0f708551972
humanhash: hot-magnesium-carbon-black
File name:main.vbs
Download: download sample
Signature SparkRAT
Create hunting rule
File size:9'572 bytes
First seen:2026-01-06 07:56:45 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:d6aWTcCvH0V/hnZ6/ii3/3r/bx/N/+k/hJjq/+I/V/9x60l/0FEW/0RVp+/+hFVC:d6aWP/0DZkiivhj10CEvVpDVrEYi
TLSH T18512444FFB431671D9738764A659680FE8B841630C780859F89C48A63F33799E6E09FE
Magika vba
Reporter abuse_ch
Tags:SparkRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Coin
Details
Link:
https://research.acce.ciphertechsolutions.com/results/4fdf9c96-8e94-4f1e-a720-6dd030da21f1/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47823/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6959b5b1d2357cccc3df1f69
Tags:
installer autorun shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper evasive lolbin persistence taskkill update
Link:
https://www.filescan.io/uploads/695cc0599a79fd178e759c8f/reports/ea239317-a3d9-476f-87f3-bfc2b04c7b13/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-03T21:47:00Z UTC
Last seen:
2026-01-07T12:48:00Z UTC
Hits:
~100
Detections:
VHO:Backdoor.Win64.Convagent.gen Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.Python.Luna.gen HEUR:Trojan.Win64.Donut.pef HEUR:Backdoor.Multi.Spark.a Backdoor.Win64.GoRat.sb Trojan-Downloader.VBS.Agent.sb HEUR:Trojan-Downloader.VBS.SLoad.gen Trojan-PSW.Win64.Agent.sb Trojan.Win32.Agent.sb Trojan.Win64.Agent.sb Trojan.Win64.Agent.smfhkh HEUR:Trojan.Python.Pytr.bi Trojan.MSIL.Donut.sb Trojan.Win32.AntiVM.f Trojan-Downloader.VBS.SLoad.sb Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Win64.DonutInjector.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Python.Rodico.gen Trojan-PSW.Win32.Agent.sba Trojan.Win32.Shellcode.sb Backdoor.Win64.RootRat.sb PDM:Trojan.Win32.Generic Trojan.Win32.Inject.sb Trojan.JS.SAgent.sb HEUR:Trojan.Python.Tpyc.i HEUR:Trojan.Python.Disin.a VHO:Backdoor.Win64.Agent.gen Trojan-Downloader.Win32.Gomal.sb Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb HEUR:Trojan-PSW.Python.Agent.gen Backdoor.Win64.Agent.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Mercurial.sb HEUR:Trojan.Python.Tpyc.g HEUR:Trojan.Python.Pytr.t HEUR:Backdoor.Win64.RootRat.a Trojan.Win64.Agentb.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sba Trojan.Win64.Inject.sb HEUR:Trojan-Spy.Win32.KeyLogger.gen HEUR:Trojan-PSW.Python.Disco.gen Backdoor.Win64.SparkRat.sb
Link:
https://opentip.kaspersky.com/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1/results?tab=lookup
Result
Threat name:
BitCoin Miner, KeyLogger, Spark RAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1845351
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Benign windows process drops PE files
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Keylogger Generic
Yara detected Spark RAT
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1845351 Sample: main.vbs Startdate: 06/01/2026 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 Sigma detected: Capture Wi-Fi password 2->167 169 22 other signatures 2->169 12 wscript.exe 12 2->12         started        17 WSSecurity.exe 2->17         started        19 WSSecurity.exe 2->19         started        21 8 other processes 2->21 process3 dnsIp4 153 172.67.198.79 CLOUDFLARENETUS United States 12->153 135 C:\Users\user\AppData\Roaming\...\krpc.exe, PE32+ 12->135 dropped 137 C:\Users\user\AppData\...\WSSecurity.exe, PE32+ 12->137 dropped 139 C:\Users\user\AppData\Roaming\...\Update.exe, PE32+ 12->139 dropped 147 7 other malicious files 12->147 dropped 237 System process connects to network (likely due to code injection or exploit) 12->237 239 Benign windows process drops PE files 12->239 241 VBScript performs obfuscated calls to suspicious functions 12->241 251 3 other signatures 12->251 23 krpc.exe 12->23         started        26 WSSecurity.exe 12->26         started        29 Update.exe 1 12->29         started        40 8 other processes 12->40 243 Writes to foreign memory regions 17->243 245 Allocates memory in foreign processes 17->245 247 Creates a thread in another existing process (thread injection) 17->247 32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        141 C:\Users\user\...\update-3783653734.exe, PE32+ 21->141 dropped 143 _zope_interface_co...cp310-win_amd64.pyd, PE32+ 21->143 dropped 145 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 21->145 dropped 149 214 other files (none is malicious) 21->149 dropped 249 Suspicious powershell command line found 21->249 36 conhost.exe 21->36         started        38 Discord.exe 21->38         started        42 5 other processes 21->42 file5 signatures6 process7 dnsIp8 115 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 23->115 dropped 117 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 23->117 dropped 119 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 23->119 dropped 129 116 other files (none is malicious) 23->129 dropped 44 krpc.exe 23->44         started        203 Writes to foreign memory regions 26->203 205 Allocates memory in foreign processes 26->205 207 Creates a thread in another existing process (thread injection) 26->207 47 conhost.exe 26->47         started        155 104.21.21.117 CLOUDFLARENETUS United States 29->155 121 C:\Users\user\AppData\...\update-56453524.exe, PE32+ 29->121 dropped 50 cmd.exe 1 29->50         started        54 3 other processes 32->54 56 2 other processes 34->56 58 2 other processes 36->58 52 cmd.exe 38->52         started        157 140.82.114.4 GITHUBUS United States 40->157 159 185.199.108.133 FASTLYUS Netherlands 40->159 161 104.26.12.205 CLOUDFLARENETUS United States 40->161 123 C:\Users\user\AppData\Roaming\...\ffmpeg.exe, PE32+ 40->123 dropped 125 _zope_interface_co...cp310-win_amd64.pyd, PE32+ 40->125 dropped 127 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 40->127 dropped 131 95 other files (none is malicious) 40->131 dropped 209 Suspicious powershell command line found 40->209 60 8 other processes 40->60 62 2 other processes 42->62 file9 signatures10 process11 file12 211 Tries to harvest and steal browser information (history, passwords, etc) 44->211 213 Modifies Windows Defender protection settings 44->213 215 Adds extensions / path to Windows Defender exclusion list 44->215 217 Tries to harvest and steal WLAN passwords 44->217 71 2 other processes 44->71 151 C:\Users\user\AppData\...\WSSecurity.exe, PE32+ 47->151 dropped 73 2 other processes 47->73 219 Uses cmd line tools excessively to alter registry or file data 50->219 221 Uses netsh to modify the Windows network and firewall settings 50->221 223 Adds a directory exclusion to Windows Defender 50->223 64 conhost.exe 50->64         started        66 conhost.exe 52->66         started        68 WSSecurity.exe 54->68         started        75 5 other processes 54->75 77 3 other processes 56->77 225 Writes to foreign memory regions 58->225 227 Allocates memory in foreign processes 58->227 229 Creates a thread in another existing process (thread injection) 58->229 79 3 other processes 58->79 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->231 233 Creates autostart registry keys with suspicious values (likely registry only malware) 60->233 235 Creates multiple autostart registry keys 60->235 81 2 other processes 60->81 signatures13 process14 signatures15 171 Writes to foreign memory regions 68->171 173 Allocates memory in foreign processes 68->173 175 Creates a thread in another existing process (thread injection) 68->175 83 conhost.exe 68->83         started        177 Modifies Windows Defender protection settings 71->177 179 Adds a directory exclusion to Windows Defender 71->179 181 Tries to harvest and steal WLAN passwords 71->181 85 powershell.exe 71->85         started        88 powershell.exe 71->88         started        90 powershell.exe 71->90         started        98 4 other processes 71->98 183 Uses cmd line tools excessively to alter registry or file data 73->183 92 WSSecurity.exe 73->92         started        94 reg.exe 73->94         started        100 2 other processes 73->100 96 conhost.exe 81->96         started        process16 signatures17 102 sihost32.exe 83->102         started        185 Loading BitLocker PowerShell Module 85->185 187 Writes to foreign memory regions 92->187 189 Allocates memory in foreign processes 92->189 191 Creates a thread in another existing process (thread injection) 92->191 105 conhost.exe 92->105         started        193 Creates multiple autostart registry keys 94->193 process18 file19 195 Writes to foreign memory regions 102->195 197 Allocates memory in foreign processes 102->197 199 Creates a thread in another existing process (thread injection) 102->199 201 Found direct / indirect Syscall (likely to bypass EDR) 102->201 108 conhost.exe 102->108         started        133 C:\Users\user\AppData\...\sihost32.exe, PE32+ 105->133 dropped 110 sihost32.exe 105->110         started        signatures20 process21 signatures22 253 Writes to foreign memory regions 110->253 255 Allocates memory in foreign processes 110->255 257 Creates a thread in another existing process (thread injection) 110->257 113 conhost.exe 110->113         started        process23
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream MSXML2.ServerXMLHTTP MSXML2.ServerXMLHTTP.6.0 Scripting.FileSystemObject VBScript WScript.Shell
Link:
https://app.malva.re/file/e076cfc63a2ce972bf8db0f708551972
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1/
Verdict:
Malicious
Threat:
Trojan.Win64.GoRat
Link:
https://tip.neiki.dev/file/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-04 00:34:59 UTC
File Type:
Text (VBS)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=knrvyk2d7dmhvkbqlimqnmvslx5sarrxcan66uox642crhkvcpyq._file
Verdict:
malicious
Label(s):
sparkrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
error
SparkRAT
Result
Malware family:
sparkrat
Create hunting rule
Score:
  10/10
Tags:
family:luna_stealer family:sparkrat backdoor defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/260106-jt51qsej6s/
Behaviour
Detects videocard installed
Kills process with taskkill
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Disables automatic submission of suspicious files to Microsoft by Windows Defender
Drops startup file
Executes dropped EXE
Loads dropped DLL
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Downloads MZ/PE file
LunaStealer
Luna_stealer family
Sparkrat
Sparkrat family
family_sparkrat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/3751245/
Cape
Cape
https://www.capesandbox.com/analysis/47823/

Comments