MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkVisionRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb
SHA3-384 hash: 2741edde4ebbf3c800d327adf343da388ffd5475a85502dc05901d448ecef77e57303274f1331f17e555a0ff23bc2818
SHA1 hash: 13424a30e7d92483cd20e890735bbde12df4c54f
MD5 hash: f9e24b53839312c300bc6222e84279eb
humanhash: carbon-kilo-oregon-bacon
File name:GWcR1uV.exe
Download: download sample
Signature DarkVisionRAT
Create hunting rule
File size:2'367'256 bytes
First seen:2026-01-30 09:47:26 UTC
Last seen:2026-01-30 10:43:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 815e1ba56e855b07daa7197697b159cd (8 x DarkVisionRAT)
ssdeep 49152:hQQGqXZjK4JNeCg6TChaSOi27VsKjwbsol:hQ6W4JgFiSxKAsm
TLSH T10BB5238638C024B6DA2BCE31D5D9E196F8773E0D6D343C5D3AB0788C1E756A40B6D62B
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:DarkVisionRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7b048097-86ec-45ef-ba5a-f62af50c26cb/
Malware family:
n/a
ID:
1
File name:
GWcR1uV.exe
Verdict:
Malicious activity
Analysis date:
2026-01-30 07:20:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b970a557-47b6-43c1-89c1-b94a0a0374d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.21573.32482.20238.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697c7e3597ed63deecb48f87
Tags:
injection obfusc crypt
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-29T11:45:00Z UTC
Last seen:
2026-01-30T10:24:00Z UTC
Hits:
~10
Detections:
VHO:Trojan.Win32.Agent.gen Trojan.Win32.Agent.xccidz Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b3070598-045c-4f73-84e7-3ef5111d6126
Result
Threat name:
DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1860334
Signature
Adds a directory exclusion to Windows Defender
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates autostart registry keys with suspicious names
Deletes itself after installation
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found driver which could be used to inject code into processes
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Registers a service to start in safe boot mode
Sample is not signed and drops a device driver
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1860334 Sample: GWcR1uV.exe Startdate: 30/01/2026 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->90 92 10 other signatures 2->92 10 GWcR1uV.exe 2->10         started        process3 signatures4 106 Early bird code injection technique detected 10->106 108 Maps a DLL or memory area into another process 10->108 110 Queues an APC in another process (thread injection) 10->110 112 Found direct / indirect Syscall (likely to bypass EDR) 10->112 13 svchost.exe 1 10->13         started        process5 dnsIp6 80 172.67.155.114 CLOUDFLARENETUS United States 13->80 82 23.95.222.239 AS-COLOCROSSINGUS United States 13->82 84 127.0.0.1 unknown unknown 13->84 70 C:\Users\user\AppData\Local\...\7539l7u2f.exe, PE32 13->70 dropped 124 Benign windows process drops PE files 13->124 126 Early bird code injection technique detected 13->126 128 Deletes itself after installation 13->128 130 4 other signatures 13->130 18 7539l7u2f.exe 13->18         started        20 svchost.exe 13->20         started        22 svchost.exe 13->22         started        24 svchost.exe 13->24         started        file7 signatures8 process9 process10 26 7539l7u2f.exe 108 18->26         started        30 svchost.exe 7 4 20->30         started        32 svchost.exe 22->32         started        34 svchost.exe 2 1 24->34         started        dnsIp11 60 C:\Users\user\AppData\Local\Temp\...\klsl.sys, PE32+ 26->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\klmd.sys, PE32+ 26->62 dropped 64 C:\Users\user\AppData\Local\...\e52f51de.exe, PE32 26->64 dropped 68 81 other files (1 malicious) 26->68 dropped 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->114 116 Sample is not signed and drops a device driver 26->116 37 e52f51de.exe 38 60 26->37         started        66 C:\Windows\Temp\dW203i_6760.sys, PE32+ 30->66 dropped 118 Adds a directory exclusion to Windows Defender 30->118 42 powershell.exe 23 30->42         started        44 powershell.exe 23 30->44         started        120 Early bird code injection technique detected 32->120 122 Maps a DLL or memory area into another process 32->122 46 ApplicationFrameHost.exe 32->46         started        72 23.95.245.178 AS-COLOCROSSINGUS United States 34->72 file12 signatures13 process14 dnsIp15 74 81.19.104.172 NTT-COMMUNICATIONS-2914US Spain 37->74 76 195.122.169.39 LEVEL3US United Kingdom 37->76 78 9 other IPs or domains 37->78 52 C:\...\klupd_a08c0092a_arkmon.sys, PE32+ 37->52 dropped 54 02b4c064-fa2d-4a04-a880-335e841ae930.cmd, DOS 37->54 dropped 56 C:\Windows\...\klupd_a08c0092a_klbg.sys, PE32+ 37->56 dropped 58 25 other files (none is malicious) 37->58 dropped 94 Query firmware table information (likely to detect VMs) 37->94 96 Creates autostart registry keys with suspicious names 37->96 98 Tries to harvest and steal browser information (history, passwords, etc) 37->98 104 5 other signatures 37->104 100 Loading BitLocker PowerShell Module 42->100 48 conhost.exe 42->48         started        50 conhost.exe 44->50         started        102 Unusual module load detection (module proxying) 46->102 file16 signatures17 process18
Score:
65%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-29 22:19:01 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64mme25lxn7dpvbdmou3t7f4ww6hgeqvzx2fqdqlr3sfqbfuek5q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/260130-lsgymags7e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Deletes itself
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb
MD5 hash:
f9e24b53839312c300bc6222e84279eb
SHA1 hash:
13424a30e7d92483cd20e890735bbde12df4c54f
Link:
https://www.unpac.me/results/2ea488fa-9345-4b47-86f9-f8cf10b37a9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkVisionRAT

Executable exe f718c26babbb7e37d42363a9b9fcbcb5bc731215cdf4580e0b8ee45804b422bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3765199/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50821/

Comments