MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9
SHA3-384 hash: 71c5a567ebac55be356787ee16c681ae2b7b5550a05a6ca68d3d10f950008e61d57a50223f68a88797da19d960cc5e76
SHA1 hash: 65da391d3cdbbc92a1cc54f89c518c92cdbcf6ed
MD5 hash: 066389576ef4585343d763a03212df59
humanhash: romeo-winner-bluebird-march
File name:List of items and service we need.js
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:1'285'079 bytes
First seen:2025-10-14 13:45:32 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24576:0FSFyo9NjfO3qcD5qUy8BP55mh6YCLpyHiM93WeI:0YLLIqcDHT2iUBI
Threatray 1'066 similar samples on MalwareBazaar
TLSH T159552335CF262BAF844CDF75A0BF1A0D5E109F578CDAF1BA801190DB96FBA80632595C
Magika javascript
Reporter abuse_ch
Tags:DarkVisionRAT js RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee544397a16d00a8d9df5d
Tags:
autorun dropper trojan virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dropper obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/68ee565971883144ef36755f/reports/538eac4b-0982-4ba2-8470-03df27999478/overview
Verdict:
Malicious
Labled as:
GT:JS.Cbum.1
Link:
https://www.hybrid-analysis.com/sample/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9
Verdict:
Malicious
File Type:
js
First seen:
2025-10-14T06:20:00Z UTC
Last seen:
2025-10-16T02:14:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.DOTHETUK.sb Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Cryptos.gen Trojan-Downloader.JS.Cryptoload.sb Trojan.MSIL.BypassUAC.sb Trojan.MSIL.Dnoper.sb Trojan.Inject.TCP.ServerRequest Trojan.Win32.Inject.sb HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Generic Trojan-Dropper.JS.SDrop.sb Trojan.VBS.SAgent.sb Trojan.Agent.TCP.ServerRequest Trojan-PSW.MSIL.PureLogs.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.Script.Alien.gen Trojan.MSIL.Inject.sb
Link:
https://opentip.kaspersky.com/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9/results?tab=lookup
Result
Threat name:
DarkVision Rat, PureLog Stealer, Resolve
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794911
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected DarkVision Rat
Yara detected PureLog Stealer
Yara detected ResolverRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794911 Sample: List of items and service w... Startdate: 14/10/2025 Architecture: WINDOWS Score: 100 43 educare1.ddns.net 2->43 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 65 15 other signatures 2->65 9 wscript.exe 1 2 2->9         started        13 wscript.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 63 Uses dynamic DNS services 43->63 process4 file5 41 C:\...\List of items and service we need.exe, PE32+ 9->41 dropped 67 Benign windows process drops PE files 9->67 69 JScript performs obfuscated calls to suspicious functions 9->69 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->71 17 List of items and service we need.exe 4 9->17         started        21 Values.exe 2 13->21         started        23 cmd.exe 1 15->23         started        25 conhost.exe 1 15->25         started        signatures6 process7 file8 37 C:\Users\user\AppData\Roaming\Values.exe, PE32+ 17->37 dropped 39 C:\Users\user\AppData\Roaming\...\Values.vbs, ASCII 17->39 dropped 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->47 49 Writes to foreign memory regions 17->49 51 Modifies the context of a thread in another process (thread injection) 17->51 27 InstallUtil.exe 2 5 17->27         started        53 Injects a PE file into a foreign processes 21->53 55 Found direct / indirect Syscall (likely to bypass EDR) 21->55 31 InstallUtil.exe 21->31         started        33 InstallUtil.exe 2 23->33         started        signatures9 process10 dnsIp11 45 educare1.ddns.net 198.135.49.120, 3442 CISCOSYSTEMSUS United States 27->45 73 Found evasive API chain (may stop execution after checking mutex) 27->73 35 conhost.exe 33->35         started        signatures12 process13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9/
Verdict:
Malicious
Threat:
Family.DARKVISION
Link:
https://tip.neiki.dev/file/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9
Threat name:
Script-JS.Dropper.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 14:02:01 UTC
File Type:
Text (JavaScript)
AV detection:
14 of 24 (58.33%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfmkcjxkl2fjzwm5cee4ipxhw7iyzmw366vh2dpoqqnbr5unhguq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
2fa2803f39b96585fa885f4cf470206766b3306cb04ec06e13e4fab14dec3ecf
DarkVisionRAT
40349b175d406c91e9ff816243f1906196d98b894e107687369d63f85a8f8224
DarkVisionRAT
bddd195fcb9d1a1bc5fb86692d88b34557bebd7a5e537a4556bad195af6cff53
DarkVisionRAT
c0ed3d2fbf4b6422279cf57b5278715e910ae116b4ff7e9304f7279aad206f5e
DarkVisionRAT
c740d11163715295558cdae9b9089d49bb8956bc632bf7b5dbf059ed579f310a
DarkVisionRAT
d17fbdccb55a602246b26034b6ce9d64ae1c3b5ad48fd93a732d2fb1dd8de6df
DarkVisionRAT
e27a15dbdc86d507183fcddbea9e1ded556479a7b6211e911f353e9e7c05f453
DarkVisionRAT
e45a11dfd7e9b1a6dbd2f2a75c669ae8b7a6912cd0ca5e30e37510d20dd04e2e
DarkVisionRAT
error
DarkVisionRAT
f481044b3ea1b4a5d412c7932370602a96cb00763650edb290959491e3c9ef23
DarkVisionRAT
+ 1'056 additional samples on MalwareBazaar
Result
Malware family:
darkvision
Create hunting rule
Score:
  10/10
Tags:
family:darkvision defense_evasion execution rat
Link:
https://tria.ge/reports/251014-q8lnzazzcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Command and Scripting Interpreter: PowerShell
DarkVision Rat
Darkvision family
Process spawned unexpected child process
Malware Config
C2 Extraction:
educare1.ddns.net
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/c158a126ea5e8a9cd99d1109c43ee7b7d18cb2dbf7aa7d0dee841a18f68d39a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments