MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bcf9a3648bac8ded65038381f3e40a590d0e2d5ec5d3cc8bca275a2939dad17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 1bcf9a3648bac8ded65038381f3e40a590d0e2d5ec5d3cc8bca275a2939dad17
SHA3-384 hash: f62000cbd9300b4eafddb3b361fbf7f48218faad45dfaf52dee30d3cd391fdae2bd7ddf936930f5c0a6939f05b7d12bf
SHA1 hash: a461a1a1031853ba9aa45a0ce4831d5209d40149
MD5 hash: 746635b2bd985a47943d22332f6c4039
humanhash: nineteen-fanta-delta-louisiana
File name:746635b2bd985a47943d22332f6c4039.vbs
Download: download sample
Signature ZLoader
File size:1'270'904 bytes
First seen:2020-07-31 08:29:00 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:IhsNDhaHDNhSPEClIgHWSksZstJVUteLhK/GX4Vbqgmwpr3HvNoMIbcrFc6PuTmC:N+N0PEQVeLc/GX4VbRvx3vVIbWvIHOhQ
TLSH CA451303DAF51BDAB74418F851F90C4A7DD24277309132EAF5E79FAA182FDA911980B3
Reporter @abuse_ch
Tags:vbs ZLoader

Intelligence


File Origin
# of uploads :
1
# of downloads :
36
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
Benign windows process drops PE files
Creates processes via WMI
Deletes itself after installation
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Behaviour
Behavior Graph:
Threat name:
Script-VBS.Backdoor.Quakbot
Status:
Malicious
First seen:
2020-07-31 08:30:09 UTC
AV detection:
11 of 31 (35.48%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Modifies system certificate store
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Blacklisted process makes network request
Threat name:
Suspicious File
Score:
0.60

Yara Signatures


Rule name:win_zloader_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments