MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
SHA3-384 hash: 367cb08af64f6561d5f5230286e36f8bb87ca9120cc67f63d32640dd487a4701ac00a114a17dbb984d88680a68cc99d5
SHA1 hash: 6a383b158bce0eaba53e078ef65d1c5aa951903f
MD5 hash: 0d1b251406af24179e5210d168ada9f8
humanhash: utah-pluto-burger-ten
File name:microsoftteam.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:543'744 bytes
First seen:2026-01-22 15:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a30df6c61810ddcdc7b4deb0861a6c (1 x DarkVisionRAT)
ssdeep 6144:obeVL2uQ/iRsTmtAsSzYJRPzTow4i9T+vzwgXh/Jjvb1vTv5x0IpR8Y8y1hn:obeV2uQ/iRsTmtAsR9yzLXhtiy
Threatray 14 similar samples on MalwareBazaar
TLSH T149C4E947EF7550E8C8B6C07886A26627F971785D5334ABD78B548E071F22BE0E93EB04
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter James_inthe_box
Tags:DarkVisionRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
DarkVision
Details
DarkVision
a missionid and a c2 socket address or c2 url(s)
Link:
https://research.acce.ciphertechsolutions.com/results/0c5fbd39-6c31-48d2-9785-92d178dcb0f4/
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2026-01-22 15:13:26 UTC
Tags:
phishing remote xworm auto-reg auto-startup darkvision stealer
Link:
https://app.any.run/tasks/431d2b22-c068-4483-8d88-86447a6c2fb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49756/
Detection(s):
Win.Malware.Lazy-10021166-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697241e3f3cf908ba5075d72
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
darkvision evasive microsoft_visual_cc mikey
Link:
https://www.filescan.io/uploads/697241dd55805a763ff05dcf/reports/0bec840c-b833-47da-afec-0a6ec71b7dab/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-22T12:36:00Z UTC
Last seen:
2026-01-24T02:21:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.BypassUAC.sb Trojan.MSIL.BypassUAC.boa Trojan.VBKrypt.UDP.ServerRequest Trojan.Inject.TCP.ServerRequest Trojan.Agent.TCP.ServerRequest PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757/results?tab=lookup
Malware family:
DarkVision RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3273253-fec2-43e4-9df8-aec4bbea03e3
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0d1b251406af24179e5210d168ada9f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757/
Verdict:
Malicious
Threat:
Family.DARKVISION
Link:
https://tip.neiki.dev/file/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2026-01-22 15:26:28 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wt2kilor25h3bsi24lax5skbhyuftnsifrwjfut2a2h65fgk5lq._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
Similar samples:
09a08aaed109ea12258695665c467524566a324260f1dfd19307779f29446809
DarkVisionRAT
2a59b5935e01dd4cd79ae401fdb666cf096ea8e793b6fea73c7602471e961f04
DarkVisionRAT
6f9c1b2d7a3287b2615068382a7febcc4f3b39ce1acecd59ed8687c3d7b0123e
DarkVisionRAT
aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
DarkVisionRAT
c84cf393fe6d5c8157a4d899a2a658ad2e95df67891d77108ab3be5ce7e01f9b
DarkVisionRAT
eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
DarkVisionRAT
error
DarkVisionRAT
+ 4 additional samples on MalwareBazaar
Result
Malware family:
darkvision
Create hunting rule
Score:
  10/10
Tags:
family:darkvision defense_evasion execution rat
Link:
https://tria.ge/reports/260122-svzd1sfz2b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Executes dropped EXE
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Command and Scripting Interpreter: PowerShell
DarkVision Rat
Darkvision family
Unpacked files
SH256 hash:
eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757
MD5 hash:
0d1b251406af24179e5210d168ada9f8
SHA1 hash:
6a383b158bce0eaba53e078ef65d1c5aa951903f
Link:
https://www.unpac.me/results/204b5b54-f6e1-4eec-932b-8c52307fc42f/
Malware family:
DarkvisionRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eda7a5216e8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eda7a5216e8eba7d8648d7160bf64a09f142cdb24163649693d0347f74a65757

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49756/

Comments