MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92a4270557ad29e087495c1ffc93bea0e03cc16943e8836ea708d4e428eae088. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DarkVisionRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash: 92a4270557ad29e087495c1ffc93bea0e03cc16943e8836ea708d4e428eae088
SHA3-384 hash: e307a035b5e629c4d66ce549e899dbb12b8910b3100ddc8624d935422f3c4c635b7e48ba28393d90d8b1f131e5e8a24f
SHA1 hash: bc342853b1580a4af46c97145308d97bc2dffeb4
MD5 hash: d53d7a240d75f851a332f678b839a6b3
humanhash: coffee-yankee-delta-double
File name:92a4270557ad29e087495c1ffc93bea0e03cc16943e8836ea708d4e428eae088
Download: download sample
Signature DarkVisionRAT
File size:2'172'928 bytes
First seen:2026-06-08 09:42:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:v5AAlBiZDEc7h8mIn0Y8bu0B8S5vykp+M/R31iMzwd:/aZoconeS0Bp5vykrR33zo
TLSH T1A1A501D0BA05D886ED5313F1482AEA7011B95D9DA4E0A21D75EA7E277AF334320B7C4F
TrID 44.6% (.EXE) Win64 Executable (generic) (6522/11/2)
14.0% (.ICL) Windows Icons Library (generic) (2059/9)
13.8% (.EXE) OS/2 Executable (generic) (2029/13)
13.7% (.EXE) Generic Win/DOS Executable (2002/3)
13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon 1c189bda9b2d575b (14 x Formbook, 4 x SnakeKeylogger, 2 x DarkTortilla)
Reporter adrian__luca
Tags:DarkVisionRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
57
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
95.7%
Tags:
agensla virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-14T04:50:00Z UTC
Last seen:
2026-06-09T14:00:00Z UTC
Hits:
~100
Malware family:
DarkVision RAT
Verdict:
Malicious
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Generic
Status:
Suspicious
First seen:
2026-05-14 12:22:52 UTC
AV detection:
15 of 21 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
darkvisionrat xworm kleptoparasitestealer
Similar samples:
Result
Malware family:
darkvision
Score:
  10/10
Tags:
family:darkvision execution persistence rat spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Family: DarkVision Rat
Malware Config
C2 Extraction:
teebro1800.dynamic-dns.net
Unpacked files
SH256 hash:
92a4270557ad29e087495c1ffc93bea0e03cc16943e8836ea708d4e428eae088
MD5 hash:
d53d7a240d75f851a332f678b839a6b3
SHA1 hash:
bc342853b1580a4af46c97145308d97bc2dffeb4
Malware family:
DarkvisionRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:pe_no_import_table
Description:Detect pe file that no import table

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments