MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4
SHA3-384 hash: d0ddebd6f2a5154ce82251d7ceb3a2e0bd009b060640f00a5fc2b32eecbd9c0b82b635c42031c45929d5457168ba2c05
SHA1 hash: b540282d1abcddf883c4d4869eb7ded26f0c3773
MD5 hash: 487f50601f6106842001e7f7b6369a2a
humanhash: summer-moon-orange-blossom
File name:487f50601f6106842001e7f7b6369a2a.vbs
Download: download sample
File size:1'182'514 bytes
First seen:2026-02-17 07:19:59 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:faxFsKtFsKoFJdu6l23CPNm5ZHfkPKTF8LTomWnxX2oCPNEo7H7cEHtFPKoFCMnG:DC
Threatray 430 similar samples on MalwareBazaar
TLSH T1D64545FE3F8A2623B5B75F50500440D9E94FC4812D4927C8FDCAE660654F2EE1662EBE
Magika txt
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53512/
Detection(s):
SecuriteInfo.com.VBS.Agent-101.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699416c90d0369ff997a2522
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/699416c1930564ff3ca51ee1/reports/9a737a48-d1e5-496c-93e6-fecd46d0a0b6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4
Verdict:
Malicious
File Type:
vbs
Detections:
PDM:Trojan.Win32.Generic PDM:Trojan.Win32.GenAutorunSchedulerTaskRun.c Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1870275
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates processes via WMI
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Crypter
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4/
Verdict:
Malicious
Threat:
Trojan.Win32.GenAutorunSchedulerTaskRun
Link:
https://tip.neiki.dev/file/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4
Threat name:
Script-WScript.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-02-16 13:25:23 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cl645nwyg67bby6ndd5ov3kwbybhuqwlt4hfvh5tltdeui3l5dka._file
Verdict:
malicious
Label(s):
phantomstealer
Create hunting rule
Similar samples:
2a86c8ae8cabbeb5909a0240fef9bd50fbf422f9d3d6a54c4a4e5c255dae3ddf
3c23073583bd33a068be551134983e7958884cb7656a4da03d9cc737b262f1ee
4a34e6614acd4a138eb1f308c21be91a8f0c53f00c307a1a5cf2a178182b62c4
6314c3c82acb165b93aa922ff379754ea29c321d7a757a5d55d72e537072d9c7
8b0fe67d4862db19d8af42c46986e6ff1750aa4eb04e2645aacf9b5a1416e84a
9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b
c0b1fa407b6f1c7a2c0636febc35adf5494f887dd5001be9bd5fab0870ad2ecd
error
fc3d9f89cc5a6b2824022593ed3ab4d94a72f71ef5f34953acc952141ad110f0
+ 420 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260217-h6dxcaa19f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://ia600603.us.archive.org/13/items/msi-pro-with-b-64_202602/MSI_PRO_with_b64.png
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/12fdceb6d837/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/12fdceb6d837be10e3cd18faeaed560e027a42cb9f0e5a9fb35cc64a236be8d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53512/

Comments