MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8
SHA3-384 hash: 127865d39ef8531479d2a1ce2a2e523759571bd0c50b032bee631bbd15b8d788b79370e6cf78ebcaf3da47f5118efd79
SHA1 hash: 5f8a0e82674b25a9ef0f5d93f23075b1d7fb632b
MD5 hash: 03f88b6e5c92cf8865b13fb7495eac0a
humanhash: iowa-two-april-hot
File name:upgrade.hta
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:25'702 bytes
First seen:2024-12-07 14:41:08 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:b4sMlPX9+eCSEXxJckNfWMLAxdEW0UDqSbsCxLuoe23qNT2xZg6w0JGppinxDkdv:b4pX9+eCSEZLgi23q+gSIuq
Threatray 5 similar samples on MalwareBazaar
TLSH T1D5B2AE2996027C34EA7D07E14C36CEB9D5734178C15532B02783BAB53F19ABBF6A640B
Magika vba
Reporter abuse_ch
Tags:DarkVisionRAT hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.16310.22219.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67545ec2095caa7047747005
Tags:
vmdetect valyria gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm dropper fingerprint powershell
Link:
https://www.filescan.io/uploads/67545ec075abba213dea01b9/reports/3b1147a6-b6c4-49d2-b0bf-e259fb7a9fd7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8
Result
Verdict:
UNKNOWN
Result
Threat name:
DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1570651
Signature
AI detected suspicious sample
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570651 Sample: upgrade.hta Startdate: 07/12/2024 Architecture: WINDOWS Score: 100 116 lomejorerty6.site 2->116 118 pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev 2->118 120 pub-c5a18eb76e034d88899e1f44f859a849.r2.dev 2->120 144 Suricata IDS alerts for network traffic 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 Multi AV Scanner detection for dropped file 2->148 150 7 other signatures 2->150 12 mshta.exe 1 2->12         started        15 pyexec.exe 2->15         started        17 KNVYINNN.exe 9 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 170 Suspicious powershell command line found 12->170 22 powershell.exe 16 19 12->22         started        172 Maps a DLL or memory area into another process 15->172 174 Found direct / indirect Syscall (likely to bypass EDR) 15->174 27 cmd.exe 15->27         started        29 pyexec.exe 17->29         started        122 127.0.0.1 unknown unknown 19->122 signatures6 process7 dnsIp8 124 pub-c5a18eb76e034d88899e1f44f859a849.r2.dev 162.159.140.237, 443, 49731 CLOUDFLARENETUS United States 22->124 126 pub-e1fcdad8276d47dfad3f82f5936b9c53.r2.dev 172.66.0.235, 443, 49730 CLOUDFLARENETUS United States 22->126 74 C:\Users\user\AppData\Roaming\second.exe, PE32+ 22->74 dropped 76 C:\Users\user\AppData\Roaming\KNVYINNN.exe, PE32+ 22->76 dropped 158 Powershell drops PE file 22->158 31 KNVYINNN.exe 9 22->31         started        35 second.exe 11 22->35         started        37 conhost.exe 22->37         started        78 C:\Users\user\AppData\Local\Temp\sfywpwa, PE32+ 27->78 dropped 39 conhost.exe 27->39         started        41 pyexec.exe 29->41         started        file9 signatures10 process11 file12 100 C:\Users\user\python27.dll, PE32 31->100 dropped 102 C:\Users\user\pyexec.exe, PE32 31->102 dropped 104 C:\Users\user\msvcr90.dll, PE32 31->104 dropped 128 Multi AV Scanner detection for dropped file 31->128 130 Drops PE files to the user root directory 31->130 43 pyexec.exe 6 31->43         started        106 C:\Users\user\Virtual.exe, PE32+ 35->106 dropped 108 C:\Users\user\VBoxRT.dll, PE32+ 35->108 dropped 110 C:\Users\user\VBoxDDU.dll, PE32+ 35->110 dropped 112 2 other files (none is malicious) 35->112 dropped 47 Virtual.exe 35->47         started        132 Maps a DLL or memory area into another process 41->132 134 Found direct / indirect Syscall (likely to bypass EDR) 41->134 49 cmd.exe 41->49         started        signatures13 process14 file15 86 C:\Users\user\AppData\...\python27.dll, PE32 43->86 dropped 88 C:\Users\user\AppData\Roaming\...\pyexec.exe, PE32 43->88 dropped 90 C:\Users\user\AppData\Roaming\...\msvcr90.dll, PE32 43->90 dropped 176 Switches to a custom stack to bypass stack traces 43->176 178 Found direct / indirect Syscall (likely to bypass EDR) 43->178 51 pyexec.exe 1 43->51         started        92 C:\Users\user\AppData\Roaming\...\Virtual.exe, PE32+ 47->92 dropped 94 C:\Users\user\AppData\Roaming\...\VBoxRT.dll, PE32+ 47->94 dropped 96 C:\Users\user\AppData\Roaming\...\VBoxDDU.dll, PE32+ 47->96 dropped 98 2 other files (none is malicious) 47->98 dropped 54 Virtual.exe 47->54         started        56 conhost.exe 49->56         started        signatures16 process17 signatures18 152 Maps a DLL or memory area into another process 51->152 154 Switches to a custom stack to bypass stack traces 51->154 156 Found direct / indirect Syscall (likely to bypass EDR) 51->156 58 cmd.exe 5 51->58         started        62 cmd.exe 54->62         started        process19 file20 80 C:\Users\user\AppData\Local\Temp\btbiig, PE32+ 58->80 dropped 82 C:\Users\user\AppData\Local\...\BQE_Fast.exe, PE32+ 58->82 dropped 160 Writes to foreign memory regions 58->160 162 Found hidden mapped module (file has been removed from disk) 58->162 164 Maps a DLL or memory area into another process 58->164 166 Switches to a custom stack to bypass stack traces 58->166 64 BQE_Fast.exe 58->64         started        68 conhost.exe 58->68         started        84 C:\Users\user\AppData\Local\Temp\yawa, PE32+ 62->84 dropped 168 Injects code into the Windows Explorer (explorer.exe) 62->168 70 conhost.exe 62->70         started        72 explorer.exe 62->72         started        signatures21 process22 dnsIp23 114 lomejorerty6.site 104.21.72.125, 443, 49769, 49777 CLOUDFLARENETUS United States 64->114 136 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 64->136 138 Tries to harvest and steal browser information (history, passwords, etc) 64->138 140 Tries to harvest and steal Bitcoin Wallet information 64->140 142 Found direct / indirect Syscall (likely to bypass EDR) 64->142 signatures24
Score:
87%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-11-15 22:07:46 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=za46ya6jwb4htgangyv2iyk56rj5nzmepoxy7oe6duhsyw5pwk4a._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
finfisherrat
Create hunting rule
Similar samples:
08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
DarkVisionRAT
0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
DarkVisionRAT
79120d139d1041d1c9a506a1a21ed304211f43893dd61295e64028cdb1fa34e2
DarkVisionRAT
84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
DarkVisionRAT
84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
DarkVisionRAT
error
DarkVisionRAT
Result
Malware family:
darkvision
Create hunting rule
Score:
  10/10
Tags:
family:darkvision collection discovery execution persistence rat spyware stealer
Link:
https://tria.ge/reports/241207-r21d8azrgm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
DarkVision Rat
Darkvision family
Malware Config
C2 Extraction:
5.206.227.213
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

HTML Application (hta) hta c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3335138/
  
Delivery method
Distributed via web download

Comments