MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d
SHA3-384 hash: b863ca47f46f49f52d221c3404df9bf9e500a80aea27dba944671a274a13d11f514af4d81fb8f01bd026c82b93e51d98
SHA1 hash: a0aa2bea7ad211680d850e3c0a4079de9e6ca600
MD5 hash: 54dd9cd36da312f6c89d0a2cb0ac00aa
humanhash: nuts-moon-xray-friend
File name:file
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:719'872 bytes
First seen:2026-03-06 21:05:09 UTC
Last seen:2026-03-07 01:02:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a9ef17b48ce0b3e398d1c5c81c194b (1 x DarkVisionRAT)
ssdeep 12288:viM7rr3MzfOwaZSHsR3d3QIS1zPA1QCaGpA+DBNWg7dilMu/KNYj/gCazB9sM7/u:viMf7QOcsdtQIzFaGxD7Wg7da/AYjk
Threatray 2'686 similar samples on MalwareBazaar
TLSH T1D2E40222FE4995BCC406C078C30156767B76B4CA1B32AAFF0295263C3F59AE56F38B54
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:DarkVisionRAT dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://158.94.211.222/files/8733674968/jLZuxmu.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
175
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-03-06 21:06:01 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/0ac9ba41-5b52-4207-8a27-dca7c32f2052

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/56463/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.91662299.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ab41befa45d5f85206a6e4
Tags:
dropper emotet trojan remo
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm explorer lolbin packed rust
Link:
https://www.filescan.io/uploads/69ab41909eaae8465944a3d0/reports/05211c60-6fbd-4f96-a1b0-06385276589c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d
Result
Gathering data
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f84a5aea-2844-4d36-821c-e6e0b05f0646
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4aaow7skl54bfct35xvipjwxpl7piar5uvvx574q3prys3djsgq._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
06d67f64685d6851e45d6f0861c277f47e6331fbd69b234ef23073e88d880fad
DarkVisionRAT
17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
DarkVisionRAT
5249882063c9eefc16d3dcf0f00ecc6a52a4e47e4c01cd044d8678b7c32bb61d
DarkVisionRAT
53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08
DarkVisionRAT
5dd9cbc64e7414cc479191cbef353c9456d75579d6453157b5f696edeba2d8b5
DarkVisionRAT
658d3acfc7e71d6b3451973ab8c207dca57264f9b17fc9e37c8b7a1e46561489
DarkVisionRAT
a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
DarkVisionRAT
bc0a5efbade3df89d6c58b050fa3e5ed7a23e676221ba6869fc9e011b06acb17
DarkVisionRAT
error
DarkVisionRAT
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
DarkVisionRAT
+ 2'676 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader loader persistence ransomware
Link:
https://tria.ge/reports/260306-zxa8jagt4x/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Adds Run key to start application
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Detects DonutLoader
DonutLoader
Donutloader family
Unpacked files
SH256 hash:
6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d
MD5 hash:
54dd9cd36da312f6c89d0a2cb0ac00aa
SHA1 hash:
a0aa2bea7ad211680d850e3c0a4079de9e6ca600
Link:
https://www.unpac.me/results/005b1fa5-71c7-4348-b187-a957f501d5cb/
Malware family:
DarkvisionRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6700075bf252/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe 6700075bf252fbc09453df6f543d36bbd7f7a011ed2b5bf7fc86df1c4b634c8d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3791082/
Cape
Cape
https://www.capesandbox.com/analysis/56463/

Comments