MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
SHA3-384 hash: 594eb7899be0600e7c2a6e92dbfba91e47cc2d431f440c4d7e501d4f2826518c3de133b98a08b9676e920e341da8f476
SHA1 hash: 71a43ec06c566ea2fdbf898104a4c3c02b87bb72
MD5 hash: b40af4f36e64a53783d8c3dde233dc1a
humanhash: north-artist-foxtrot-aspen
File name:HDFC PAYMENT.bat
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:423'899 bytes
First seen:2025-02-20 13:13:22 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:+7xGCfsp8mrunqNHsO+AyLT+9lAx1nZJoEU/ghKWv9yEZIYe7uAtYJ5bNrJ8Wpwy:g0amrgUH6NvvZvUY8+9ytiAtqpOWpLf
Threatray 60 similar samples on MalwareBazaar
TLSH T1EC9422920C2D82AADD3CBB2B65FD2E1C66B50FA15004FCCBD7E5844FD81F48522275BA
Magika txt
Reporter JAMESWT_WT
Tags:0x0-st 176-65-138-184 bat DarkVisionRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HDFCPAYMENT.bat
Verdict:
No threats detected
Analysis date:
2025-02-20 13:18:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c52f7e31-b13d-4530-ab59-edcf18241b58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b72ba028ab76d43a5c2a17
Tags:
obfuscate autorun xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive lolbin masquerade obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/67b748c762765a79bd9f9e98/reports/7c43bec3-8527-4898-8390-12b3c188a4e5/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619190
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619190 Sample: HDFC PAYMENT.bat Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 52 zenforexpvtltd.hopto.org 2->52 54 0x0.st 2->54 60 Suricata IDS alerts for network traffic 2->60 62 Yara detected Powershell download and execute 2->62 64 Sigma detected: Drops script at startup location 2->64 66 5 other signatures 2->66 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        signatures3 process4 signatures5 70 Suspicious command line found 10->70 15 cmd.exe 1 10->15         started        18 conhost.exe 10->18         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        process6 signatures7 76 Suspicious command line found 15->76 24 powershell.exe 16 32 15->24         started        29 conhost.exe 15->29         started        31 cmd.exe 1 15->31         started        33 powershell.exe 25 20->33         started        35 conhost.exe 20->35         started        37 cmd.exe 1 20->37         started        39 timeout.exe 20->39         started        process8 dnsIp9 56 zenforexpvtltd.hopto.org 147.78.241.56, 49738, 49739, 49740 ASN-QUADRANET-GLOBALUS Norway 24->56 58 0x0.st 168.119.145.117, 443, 49731, 49744 HETZNER-ASDE Germany 24->58 50 C:\Users\user\...\StartupScript_1532d61d.cmd, ASCII 24->50 dropped 72 Suspicious powershell command line found 24->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 24->74 41 powershell.exe 37 24->41         started        44 powershell.exe 28 24->44         started        46 powershell.exe 33->46         started        file10 signatures11 process12 signatures13 68 Loading BitLocker PowerShell Module 41->68 48 conhost.exe 41->48         started        process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22stmxaekmyobe7tn4ivs7t2jgjeuuvt6gol5jc5g7y7d7gc76tq._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
Similar samples:
86f8e546815bd0b77b0fcc906b700caa5baed1568197378a20fa6b581a2ab709
DarkVisionRAT
934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206
DarkVisionRAT
9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712
DarkVisionRAT
b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c
DarkVisionRAT
ba13ce53a9e5427803d6f1a70a46823277474be01f80349399b856ce299a627e
DarkVisionRAT
error
DarkVisionRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
darkvision
Create hunting rule
Score:
  10/10
Tags:
family:darkvision execution rat
Link:
https://tria.ge/reports/250220-qgr2nswkbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
.NET Reactor proctector
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
DarkVision Rat
Darkvision family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments