MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a
SHA3-384 hash: 14d09721ced5ba54d734a088d4914588c04ec9cbf1f8f074c7c9f0a4282988d712f3e2a78f97059c7681d7d1a98daa51
SHA1 hash: 06c2e0aacd60539a7d9913f844e92c4a60231fe9
MD5 hash: 218828f5624bae497de33fe29cf7aaa9
humanhash: east-table-twelve-bulldog
File name:Screen_Shot_1253_246469384693746_2469724.jpg.VBS
Download: download sample
File size:1'238 bytes
First seen:2026-04-27 10:05:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:7AQBw17rDL+qEUAyFSA+SvDo1XAM/yJUvyzgA+CVHKUsEq2o/iOZVhHP+r8Osnhs:7A8AvXaUAXAFbgA6yJUqEAnU7/pZrvk5
TLSH T14F215113F48293334131CCA1DF967C88F5801A83112CAD16BF0C8AA52F799A79FF055E
Magika vba
Reporter smica83
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63755/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien evasive obfuscated overlay
Link:
https://www.filescan.io/uploads/69ef352d81aa9ec3bc2b1bb8/reports/4144b974-8464-4f19-8c27-cc4395be5419/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a
Result
Gathering data
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-26T20:55:00Z UTC
Last seen:
2026-04-26T21:25:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1905034
Signature
Joe Sandbox ML detected suspicious sample
Posts data to a JPG file (protocol mismatch)
Potential malicious VBS script found (has network functionality)
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1905034 Sample: Screen_Shot_1253_2464693846... Startdate: 27/04/2026 Architecture: WINDOWS Score: 100 37 imgresim.net 2->37 39 dekontara.digital 2->39 55 Uses an obfuscated file name to hide its real file extension (double extension) 2->55 57 Potential malicious VBS script found (has network functionality) 2->57 59 Posts data to a JPG file (protocol mismatch) 2->59 61 5 other signatures 2->61 8 wscript.exe 16 2->8         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 45 imgresim.net 82.198.228.142, 443, 49693, 49698 BRITELINE-ASDE United Kingdom 8->45 33 C:\ProgramData\...\ChromeReportUpdateRGO.vbs, ASCII 8->33 dropped 35 C:\ProgramData\...\ChromeReportUpdatePGO.vbs, ASCII 8->35 dropped 63 System process connects to network (likely due to code injection or exploit) 8->63 65 VBScript performs obfuscated calls to suspicious functions 8->65 67 Potential malicious VBS script found (has network functionality) 8->67 69 4 other signatures 8->69 19 chrome.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        47 dekontara.digital 84.32.84.113, 443, 49694, 49705 NTT-LT-ASLT Lithuania 17->47 49 2.57.91.235, 443, 49721, 49722 AS-HOSTINGERLT Lithuania 17->49 file6 signatures7 process8 dnsIp9 41 192.168.2.5, 138, 443, 49675 unknown unknown 19->41 43 192.168.2.6 unknown unknown 19->43 26 chrome.exe 19->26         started        29 conhost.exe 22->29         started        31 conhost.exe 24->31         started        process10 dnsIp11 51 imgresim.net 26->51 53 www.google.com 142.251.157.119, 443, 49710 GOOGLEUS United States 26->53
Score:
58%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a/
Verdict:
Malicious
Threat:
Trojan-Downloader.VBS.SLoad
Link:
https://tip.neiki.dev/file/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-04-27 01:30:55 UTC
File Type:
Text (VBS)
AV detection:
2 of 36 (5.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76pduzobsjnq5dywe5ei52fr7exe6ln4tuqkcdw72gydjynj2mfa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260427-l49g1sgy2w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ff9e3a65c1925b0e8f1627488ee8b1f92e4f2dbc9d20a10edfd1b034e1a9d30a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/63755/

Comments