MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412
SHA3-384 hash: 96abecde010e27476585111d945b57ee5d83b0022d9058ab6695bd4b737e456c00c9572d09d7d28587c52e291b618d54
SHA1 hash: 4714ab1343bd3f1a98984937be5579f18f9fc960
MD5 hash: 1ddef122a29bf06c1710424a57464813
humanhash: blossom-ack-nebraska-item
File name:1ddef122a29bf06c1710424a57464813.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:560'848 bytes
First seen:2026-04-16 07:05:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a90dd0da2b8eddb963b8ea61476b1e94 (1 x DarkVisionRAT)
ssdeep 12288:oCkVN7FRFdxEofkoTcf5Q9LoNzAiREOzb4P:oCkjFd/fkNOLoN1Eob4P
TLSH T1C1C4BE95DBE907D9E1B79A7488F10500EA377C454BB0D68F0384C4BB5F67A92CE39B22
TrID 93.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.3% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:DarkVisionRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-04-16 07:09:09 UTC
Tags:
uac auto-startup loader
Link:
https://app.any.run/tasks/17cfb93c-6e42-4573-abf0-6aaea92c78c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61843/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Rozena.10030.30488.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e08ad7f68adfe1003a51fe
Tags:
trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
DNS request
Connection attempt
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-15T18:21:00Z UTC
Last seen:
2026-04-16T06:59:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Win64.Agent.gen Backdoor.Win64.Agent.sb PDM:Trojan.Win32.Generic Trojan.MSIL.BypassUAC.sb
Link:
https://opentip.kaspersky.com/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412/results?tab=lookup
Gathering data
Result
Threat name:
DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1899275
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses dynamic DNS services
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1899275 Sample: aX26LWmWym.exe Startdate: 16/04/2026 Architecture: WINDOWS Score: 100 25 lirtjds25k.duckdns.org 2->25 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 41 7 other signatures 2->41 9 aX26LWmWym.exe 2 1 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 39 Uses dynamic DNS services 25->39 process4 dnsIp5 27 lirtjds25k.duckdns.org 91.92.242.132, 49684, 49685, 49686 THEZONEBG Bulgaria 9->27 43 Adds a directory exclusion to Windows Defender 9->43 45 Unusual module load detection (module proxying) 9->45 15 cmd.exe 1 9->15         started        29 127.0.0.1 unknown unknown 13->29 signatures6 process7 signatures8 47 Adds a directory exclusion to Windows Defender 15->47 18 powershell.exe 23 15->18         started        21 conhost.exe 15->21         started        process9 signatures10 31 Loading BitLocker PowerShell Module 18->31 23 WmiPrvSE.exe 18->23         started        process11
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412/
Verdict:
Malicious
Threat:
Family.DARKVISION
Link:
https://tip.neiki.dev/file/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412
Threat name:
Win64.Backdoor.Rozena
Create hunting rule
Status:
Malicious
First seen:
2026-04-16 00:56:18 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqspnug2snziexiw45nhn3bpipiyli5ln3f3dx3nppsifzhkaqja._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/260416-hw2weshx2q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks computer location settings
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412
MD5 hash:
1ddef122a29bf06c1710424a57464813
SHA1 hash:
4714ab1343bd3f1a98984937be5579f18f9fc960
Link:
https://www.unpac.me/results/d712b5dc-e77e-4144-b754-29d576949ce5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe ac24f6d0da9372825d16e75a76ec2f43d185a3ab6ecbb1df6d7be482e4ea0412

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3823178/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61843/

Comments