MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustDesk


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c
SHA3-384 hash: e013890882f7b802618cbc86cf5268a326e31caefd277ade4a529cf1eb2b111b0615362ccc998a1743d91dddf44db16b
SHA1 hash: 2ff61bc044343d186333ffd3630e2d86f0417629
MD5 hash: f2d2c5ce23257f43cca9a5d49b9dd08c
humanhash: undress-uniform-wisconsin-arizona
File name:PL10-03-2026L.vbs
Download: download sample
Signature RustDesk
Create hunting rule
File size:126'178 bytes
First seen:2026-06-11 06:40:47 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:Rddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddk:BAzYm
TLSH T13BC33B449D6A1A4BFE680ABAF2C7988CFEC635684D1E7741F824DF216C91158F12E48F
Magika vba
Reporter abuse_ch
Tags:rustdesk vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2a58a9a15110463ee4b07d
Tags:
autorun extens sage blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated
Link:
https://www.filescan.io/uploads/6a2a58a1e6f7d2d27d57caf9/reports/e21280a5-059b-4bbd-ae94-7eaee31867a5/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c
Result
Threat name:
RUSTDESK
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926388
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sigma detected: Drops script at startup location
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Yara detected RUSTDESK
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926388 Sample: PL10-03-2026L.vbs Startdate: 11/06/2026 Architecture: WINDOWS Score: 100 105 store-eu-par-1.gofile.io 2->105 107 file-eu-par-5.gofile.io 2->107 109 7 other IPs or domains 2->109 127 Antivirus detection for URL or domain 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 Yara detected RUSTDESK 2->131 133 14 other signatures 2->133 10 wscript.exe 1 145 2->10         started        15 Launcher.exe 2->15         started        17 cmd.exe 2->17         started        19 Launcher.exe 2->19         started        signatures3 process4 dnsIp5 123 file-eu-par-5.gofile.io 195.154.218.45, 443, 49699 OnlineSASFR France 10->123 125 store-eu-par-1.gofile.io 45.112.123.226, 443, 49693 GOFILEFR France 10->125 87 C:\Users\Public\...\librustdesk.dll, PE32+ 10->87 dropped 89 C:\Users\Public\...\Launcher.exe, PE32+ 10->89 dropped 91 C:\Users\Public\...\no_sleep.js, ASCII 10->91 dropped 99 21 other files (1 malicious) 10->99 dropped 155 System process connects to network (likely due to code injection or exploit) 10->155 157 Benign windows process drops PE files 10->157 159 VBScript performs obfuscated calls to suspicious functions 10->159 169 2 other signatures 10->169 21 Launcher.exe 59 10->21         started        25 chrome.exe 10->25         started        101 57 other files (none is malicious) 15->101 dropped 161 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->161 163 Hides threads from debuggers 15->163 165 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->165 28 Launcher.exe 15->28         started        30 Launcher.exe 17->30         started        32 conhost.exe 17->32         started        93 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 19->93 dropped 95 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 19->95 dropped 97 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 19->97 dropped 103 54 other files (none is malicious) 19->103 dropped 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->167 34 Launcher.exe 19->34         started        file6 signatures7 process8 dnsIp9 69 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->69 dropped 71 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->71 dropped 73 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->73 dropped 81 54 other files (none is malicious) 21->81 dropped 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->135 137 Drops script or batch files to the startup folder 21->137 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->139 147 2 other signatures 21->147 36 Launcher.exe 2 2 21->36         started        121 192.168.2.5, 138, 443, 49406 unknown unknown 25->121 41 chrome.exe 25->41         started        75 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->75 dropped 77 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 30->77 dropped 79 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->79 dropped 83 54 other files (none is malicious) 30->83 dropped 141 Hides threads from debuggers 30->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->145 43 Launcher.exe 30->43         started        file10 signatures11 process12 dnsIp13 111 ip-api.com 208.95.112.1, 49718, 49726, 49732 TUT-AS-TotalUptimeTechnologiesLLCUS United States 36->111 113 209.99.191.186, 49719, 49721, 49724 SKN-NETWORK-1-SKNSubnetTelecomLtdKN United States 36->113 85 C:\Users\user\...\RustDeskLauncher.bat, DOS 36->85 dropped 149 Hides threads from debuggers 36->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->151 153 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 36->153 45 cmd.exe 1 36->45         started        47 cmd.exe 36->47         started        49 schtasks.exe 36->49         started        51 3 other processes 36->51 115 www.google.com 142.251.150.119, 443, 49710 GOOGLE-GoogleLLCUS United States 41->115 117 drive.google.com 41->117 119 7 other IPs or domains 41->119 file14 signatures15 process16 process17 53 conhost.exe 45->53         started        55 tasklist.exe 1 45->55         started        57 conhost.exe 47->57         started        59 taskkill.exe 47->59         started        61 conhost.exe 49->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        67 conhost.exe 51->67         started       
Score:
91%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-11 06:41:40 UTC
File Type:
Text (VBS)
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bx7rqgzj2zfkerpy3jooxqlyrz7rhytabybvotbdmueglgyvyfwa._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution persistence themida trojan
Link:
https://tria.ge/reports/260611-hf5blsas9z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
Badlisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/0dff181b29d64aa245f8da5cebc1788e7f13e2600e03574c236508659b15c16c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments