MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkVisionRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 14 File information Comments

SHA256 hash:	ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a
SHA3-384 hash:	6d36c364cc2161403737f505b83550022f32cbd7ecde206a3f4ea61c08bfc3ada472fefccbcf1d7d3fc42cfcadff1c99
SHA1 hash:	e64df55048d241d860f341b0a897b88d9a36e1c2
MD5 hash:	b996017366db577d2b45231378122264
humanhash:	jersey-cola-alanine-oranges
File name:	file
Download:	download sample
Signature	DarkVisionRAT Create hunting rule
File size:	1'060'864 bytes
First seen:	2025-09-24 04:03:10 UTC
Last seen:	2025-09-25 20:23:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:TPdDjU/o84JJuCH3H86PV5uLjvzBJgjvlPdDjU/o84JJuCH3H86PV5uLjvzBJgjv:zdDk4JrH3H8coEv9dDk4JrH3H8coEv
Threatray	53 similar samples on MalwareBazaar
TLSH	T12535D055D660816EDD8E60FF150ADBDB063C4278831AA2C3B9BD7D479B70CF01E6E982
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	DarkVisionRAT dropped-by-amadey exe

Bitsight

url: http://178.16.54.200/files/8292810163/hJFvGvb.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-09-23 20:35:00 UTC

Tags:

stealc stealer vidar amadey botnet unlocker-eject tool arch-exec loader auto-reg auto gcleaner themida aurotun rdp evasion phishing lumma anti-evasion autoit rhadamanthys golang pastebin auto-startup payload

Link:

https://app.any.run/tasks/8575eff7-33c6-4957-9870-65e9a701d367

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28728/

Detection(s):

SecuriteInfo.com.BackDoor.XenoRatNET.11.31643.24438.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d53cdbcc9425144151cb9f

Tags:

virus spawn sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Creating a process with a hidden window

Connection attempt

Forced system process termination

Launching cmd.exe command interpreter

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68d36df658f24ea0d22a7488/reports/370df518-a15c-4cc4-937b-0c4d43bc6549/overview

Verdict:

Malicious

Labled as:

Marsilia.Generic

Link:

https://www.hybrid-analysis.com/sample/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T13:30:00Z UTC

Last seen:

2025-09-23T13:30:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.MSIL.Quasar.gen HEUR:Backdoor.Win32.Androm.gen Backdoor.Win32.Androm Trojan.Inject.TCP.ServerRequest Trojan.Agent.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.BypassUAC.sb

Link:

https://opentip.kaspersky.com/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a/results?tab=lookup

Malware family:

DarkVision RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3fa4655-be55-4e18-888c-d14d738eec3d

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86

Link:

https://app.malva.re/file/b996017366db577d2b45231378122264

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a/

Verdict:

Malicious

Threat:

Family.DARKVISION

Link:

https://tip.neiki.dev/file/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a

Threat name:

ByteCode-MSIL.Trojan.Mardom

Status:

Malicious

First seen:

2025-09-23 17:41:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vqpxm65nsd2b5knoytkutk27qomvcem5zhtkdsbqb7dyspfsimna._file

Verdict:

malicious

Label(s):

darkvisionrat

DarkVisionRAT

64728f6f47f8231a92600c2f37f11a1199e2f9fa4659d471ba5899ff80473c32

DarkVisionRAT

8fc1bd816b1865518ff0620f8ac09a85aa3d8c5d660ba423b7d13b09f325baa9

DarkVisionRAT

bebe3cadd1d51412d055ba11ebc64091c45e2ef47dbcc7135d2d762f26a466c2

DarkVisionRAT

c2ee598db573b89211027b5607fb6561742991be3b9d5ed9e413a3c3d35da01b

DarkVisionRAT

error

DarkVisionRAT

+ 43 additional samples on MalwareBazaar

Result

Malware family:

darkvision

Score:

10/10

Tags:

family:darkvision discovery persistence rat

Link:

https://tria.ge/reports/250924-eny8sabn6t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Adds Run key to start application

Executes dropped EXE

Badlisted process makes network request

DarkVision Rat

Darkvision family

Malware Config

C2 Extraction:

80.76.49.153

Verdict:

Malicious

Tags:

DarkVision_RAT

YARA:

n/a

Link:

https://app.threat.zone/submission/89908b18-00ff-4712-89f1-ce43bd99bcad

Unpacked files

SH256 hash:

e8208b74bd4fbc3db1943fe19bedc9ad9fcc65fd4d874cd643314fb1a201c799

MD5 hash:

f4bb3998f3768b1b2bd6abf53c741e89

SHA1 hash:

b4e59d19f90b039dcf52d2a0608b819ea9a256f9

Detections:

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/3c686afb-d009-47ef-bb34-73b04d85cd7c/

SH256 hash:

ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a

MD5 hash:

b996017366db577d2b45231378122264

SHA1 hash:

e64df55048d241d860f341b0a897b88d9a36e1c2

Link:

https://www.unpac.me/results/3c686afb-d009-47ef-bb34-73b04d85cd7c/

Malware family:

Darkvision RAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ac1f767bad90/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.68

Link:

https://yomi.yoroi.company/submissions/ac1f767bad90f41ea9aec4d549ab5f839951119dc9e6a1c8300fc7893cb2431a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	darkVision Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked darkVision malware samples.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_NET_Base64_Xor_Implementation Create hunting rule
Author:	Jonathan Peters (cod3nym)
Description:	Detects .NET applications implementing xor encryption/decryption for Base64 strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)