File name:

DarkVision Rat.7z

Full analysis: https://app.any.run/tasks/043218d7-789a-4271-9673-0b26bceda3cc
Verdict: Malicious activity
Threats:

DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 16:14:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
darkvision
rat
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3FFE675EBA4CB6AE5D5FF93A600E1635

SHA1:

8EC8F85F0879D86BBE776ABAFF8AFB3B08C27950

SHA256:

3F6692D2E43BCFA91FD2D663BC64BAC34D7CBD4EAA009C94010D27822111CBD9

SSDEEP:

98304:5jjxeUFKYYeg/hFktd9jE85Kl7nlQ8bYD9rBN6E5VKYIkCWRdxQ2pbh5y2DDm+bX:BfVOHyR2Vy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • [YARA] DarkVision RAT is detected

      • DARKVISION.exe (PID: 6788)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • DARKVISION.exe (PID: 6700)

    • Application launched itself

      • DARKVISION.exe (PID: 6700)

    • Reads the date of Windows installation

      • DARKVISION.exe (PID: 6700)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4928)

    • Reads the computer name

      • DARKVISION.exe (PID: 6700)
      • DARKVISION.exe (PID: 6788)

    • Checks supported languages

      • DARKVISION.exe (PID: 6700)
      • DARKVISION.exe (PID: 6788)

    • Process checks computer location settings

      • DARKVISION.exe (PID: 6700)

    • Manual execution by a user

      • DARKVISION.exe (PID: 6700)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4928)

    • Reads the machine GUID from the registry

      • DARKVISION.exe (PID: 6788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs darkvision.exe no specs #DARKVISION darkvision.exe

Process information

PID
CMD
Path
Indicators
Parent process
4928"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DarkVision Rat.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6652C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6700"C:\Users\admin\Desktop\DarkVision Rat\DARKVISION.exe" C:\Users\admin\Desktop\DarkVision Rat\DARKVISION.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\darkvision rat\darkvision.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6788"C:\Users\admin\Desktop\DarkVision Rat\DARKVISION.exe" C:\Users\admin\Desktop\DarkVision Rat\DARKVISION.exe
DARKVISION.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\darkvision rat\darkvision.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
5 848
Read events
5 820
Write events
28
Delete events
0

Modification events

(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DarkVision Rat.7z
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
41
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\DARKVISION.exeexecutable
MD5:D7411ABD0A54122366700FD5394019D1
SHA256:648E1C9FD7AACB58C4285CF6A54D9E58F5C2C1F6CC1F166B9E13E7D6A3C4A7FB
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\FILEPLUGIN32.DLLexecutable
MD5:C35D2454860618AD9CE671A6081E6540
SHA256:20C66FB1356518CFAEDB95CB3C7F8DD779A7EBA398280DFB916799C545D2DB82
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\DROPPERPLUGIN32.DLLexecutable
MD5:40CC4932320C65FBB5CF1B07CD6D42AB
SHA256:96454417229C3629BBAE5C909A1A15770F0AEA6BB633C28CE12AA3105E51A1DB
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\{9B0AF4E7-83D4-4AF8-83EC-9EFAF0769048}binary
MD5:1AA0DAE9A57DF464D6860F767529D7DC
SHA256:5CA538BCB2B615C330205A565E0177E5031A838C0284ED1F4F02597157B864EF
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\FILEPLUGIN64.DLLexecutable
MD5:15F74A7350ED9A19D15BE88E965D77DE
SHA256:3EF8922F7BB2C456CB50B698EBD6B68561D3D74BBBA0CBA5B334F99497A97FF9
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\DROPPERPLUGIN64.DLLexecutable
MD5:5D2CED6944769633C1540E6D2462EFE0
SHA256:353D6D894C5ABB8AF81D7B3DEFC327156CABDD8D9A9A2534D57ABAEC18D6999D
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\KILLSWITCHPLUGIN64.DLLexecutable
MD5:3778830910DA7411F5FCF878F535A52E
SHA256:9F37EBB3F41C58C76700027BBC5B61010B86905841017FEFD51AB0173C651B86
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\MICROPHONECAPTUREPLUGIN64.DLLexecutable
MD5:855673689DB2A4B1E29DCE0D0615F370
SHA256:178B4B009987569E17A3679FA8DE419FCEAF628F3065F936EAFCAF0ADC133775
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\MEMORYDUMPPLUGIN32.DLLexecutable
MD5:F22A226EE2D0F0BCEB2D0EF564E86C6D
SHA256:A215327AC084D85883D77908DC64453B92424AADEF245EF42E076653FF73CA8D
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4928.21466\DarkVision Rat\LIVEKEYLOGGERPLUGIN32.DLLexecutable
MD5:6FABA5D510102796DB1F261817D79DB3
SHA256:992A8CAFBDBEF8033956774C57200E4CF535DB9E05AF0181650E14AA3C81DD20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
79
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5952
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
unknown
1452
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2060
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2060
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1452
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
5600
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4656
SearchApp.exe
104.126.37.139:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
2060
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2064
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1452
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2064
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1452
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2060
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.bing.com
  • 184.86.251.20
  • 184.86.251.22
  • 184.86.251.21
  • 184.86.251.24
  • 184.86.251.7
  • 184.86.251.4
  • 184.86.251.8
  • 184.86.251.30
  • 184.86.251.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DarkVision Rat.7z