MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
SHA3-384 hash: daaf5e7f79fd87a0bb454bf7cc0b029515a8610de90eb09cb69f71c8102d416aaf74ad4c86b5f9c2b2d518d12b91c788
SHA1 hash: 1afef291ca86b310b500ab75cb5c37efc6262129
MD5 hash: cdca36693554bb6639d54b5e59f5fc7e
humanhash: oklahoma-oven-connecticut-nineteen
File name:random.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:5'086'720 bytes
First seen:2025-09-18 18:55:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:tbNVc2+YQFjffPxu8X2iynE4QuU1s+lIEGQvwTI:tL9+tJnJu8X88uUq+qTQvD
TLSH T1303633BEFEED695BC03D523B2CA04E5B0A522A499A134EDCE6BAD3CD70135F1804746D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DarkVisionRAT exe


Avatar
abuse_ch
DarkVisionRAT C2:
http://178.16.54.200/f8nus4b/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.16.54.200/f8nus4b/index.php https://threatfox.abuse.ch/ioc/1593931/

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 18:34:39 UTC
Tags:
lumma stealer amadey botnet unlocker-eject tool themida arch-exec auto-startup miner loader auto-reg telegram rdp susp-powershell stealc auto generic vidar skuld uac coinminer gcleaner
Link:
https://app.any.run/tasks/470f6018-d4b7-43bb-9628-eff03dbf581d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28203/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cc50be6b621794b130adf1
Tags:
cobalt trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin obfuscated packed reconnaissance sc schtasks
Link:
https://www.filescan.io/uploads/68cc55cc254431b688d38fc0/reports/a8b89840-a78b-4b14-9734-774858bf4b83/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T15:38:00Z UTC
Last seen:
2025-09-18T15:38:00Z UTC
Hits:
~10
Detections:
Trojan.Nymaim.HTTP.ServerRequest Trojan.Agentb.TCP.C&C Trojan.BAT.Agent.cot HEUR:Trojan-PSW.Win32.Lumma.pef HEUR:Trojan-Downloader.MSIL.Deyma.gen Trojan-PSW.Lumma.HTTP.Download Trojan-Downloader.Win32.Deyma.sb HEUR:Trojan-PSW.Win32.Lumma.gen HEUR:Trojan-Downloader.Win32.Deyma.gen HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e4bddbd-7b0b-4699-90c9-aa09be6e7152
Result
Threat name:
AsyncRAT, StormKitty, Vidar, WorldWind S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780326
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected AsyncRAT
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Vidar stealer
Yara detected WorldWind Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1780326 Sample: random.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 21 other signatures 2->99 9 random.exe 9 2->9         started        13 random.exe 4 2->13         started        15 svchosthelper.exe 2->15         started        17 2 other processes 2->17 process3 file4 79 C:\Windows\systemhelper.exe, PE32 9->79 dropped 81 C:\Windows\svchosthelper.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...\svchostmanager.exe, PE32 9->83 dropped 89 3 other malicious files 9->89 dropped 115 Drops executables to the windows directory (C:\Windows) and starts them 9->115 19 systemhelper.exe 15 9->19         started        22 svchosthelper.exe 3 25 9->22         started        26 cmd.exe 1 9->26         started        32 2 other processes 9->32 85 C:\Windows\Temp\svchostmanager.exe, PE32 13->85 dropped 87 C:\Windows\Temp\svchostam.exe, PE32 13->87 dropped 28 svchosthelper.exe 13->28         started        117 Contains functionality to start a terminal service 15->117 30 WerFault.exe 2 17->30         started        signatures5 process6 dnsIp7 63 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 19->63 dropped 65 C:\Users\user\AppData\Local\...\cecho.exe, PE32 19->65 dropped 67 C:\Users\user\AppData\Local\...67SudoLG.exe, PE32+ 19->67 dropped 75 2 other malicious files 19->75 dropped 34 cmd.exe 1 19->34         started        91 178.16.54.200, 49690, 49694, 49695 DUSNET-ASDE Germany 22->91 69 C:\Users\user\AppData\Local\...\ymkIfpk.exe, PE32+ 22->69 dropped 71 C:\Users\user\AppData\Local\...\eFYM9KD.exe, PE32 22->71 dropped 73 C:\Users\user\AppData\Local\...\1OgvFWH.exe, PE32+ 22->73 dropped 77 3 other malicious files 22->77 dropped 103 Contains functionality to start a terminal service 22->103 37 1OgvFWH.exe 22->37         started        105 Uses cmd line tools excessively to alter registry or file data 26->105 107 Uses schtasks.exe or at.exe to add and modify task schedules 26->107 109 Uses the nircmd tool (NirSoft) 26->109 39 conhost.exe 26->39         started        41 schtasks.exe 1 26->41         started        111 Multi AV Scanner detection for dropped file 28->111 113 Contains functionality to inject code into remote processes 28->113 43 WerFault.exe 21 16 28->43         started        45 conhost.exe 32->45         started        47 conhost.exe 32->47         started        file8 signatures9 process10 signatures11 101 Uses cmd line tools excessively to alter registry or file data 34->101 49 cmd.exe 34->49         started        51 reg.exe 34->51         started        53 reg.exe 34->53         started        55 25 other processes 34->55 process12 process13 57 tasklist.exe 49->57         started        59 Conhost.exe 51->59         started        61 Conhost.exe 53->61         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/cdca36693554bb6639d54b5e59f5fc7e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 18:34:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=op53b74pnctsjus5fnnk6u4dfb3fgvfaxejjrtuofetetq3eftpq._file
Verdict:
malicious
Label(s):
admintool_nircmd
Create hunting rule
unc_loader_051
Create hunting rule
amadey
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
error
DarkVisionRAT
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:darkvision family:donutloader family:gcleaner family:lumma family:stormkitty family:xmrig botnet:default credential_access defense_evasion discovery execution loader miner persistence privilege_escalation rat spyware stealer
Link:
https://tria.ge/reports/250918-xlbntazwht/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Async RAT payload
XMRig Miner payload
AsyncRat
Asyncrat family
DarkVision Rat
Darkvision family
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
StormKitty
StormKitty payload
Stormkitty family
Xmrig family
xmrig
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot8359555422:AAE0OIsErTuFgZljJ4w38RYirJSlzW1cI2M/sendMessage?chat_id=7787132136
185.156.73.98
45.91.200.135
https://yunded.com/uwuz
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
80.76.49.60
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cb1279ef-c517-48a0-91ae-3995efbc89ea
Unpacked files
SH256 hash:
73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf
MD5 hash:
cdca36693554bb6639d54b5e59f5fc7e
SHA1 hash:
1afef291ca86b310b500ab75cb5c37efc6262129
Link:
https://www.unpac.me/results/b123a8fa-e144-4640-9ee4-13a14b9a27cb/
SH256 hash:
b32d39ab10514e26f3fc1f0dfbeb7e4d6cd1509fa0000b9905194b0d72554667
MD5 hash:
4f26b96d7bc5814e5278773162828929
SHA1 hash:
1fc4dcd28ad2649e7965b88b2108021051a5250f
Link:
https://www.unpac.me/results/b123a8fa-e144-4640-9ee4-13a14b9a27cb/
SH256 hash:
1d6a081b4bdfa72772036d77a64e72b308da0c6021ac974a13c561dba722171e
MD5 hash:
23f1ea8b76f46ccd310a0b4d48c97650
SHA1 hash:
e8121534c9e7e3f60336c338fd261ea8d370c72b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/b123a8fa-e144-4640-9ee4-13a14b9a27cb/
SH256 hash:
631252d2f38fc2f3e3483a6c198ab3d69ab9dd14185d89f0b03c9363e2b52472
MD5 hash:
4f2c726712ab2cfe7fd3c1faeb7d31c0
SHA1 hash:
0d0b53fad0cbbdc4b5606551a7ae6959173ec4e8
Link:
https://www.unpac.me/results/b123a8fa-e144-4640-9ee4-13a14b9a27cb/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/b123a8fa-e144-4640-9ee4-13a14b9a27cb/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73fbb0ff8f68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73fbb0ff8f68a724d25d2b5aaf538328765354a0b91298ce8e292649c3642cdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28203/

Comments