MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a
SHA3-384 hash: 21b127bfd1c8416b5b01cbea464718bc56d4a92a000a52814921839d9798e28228cda241e82f1f93104d01d73859fd6e
SHA1 hash: fdd4743eb25de32e1200fa7fd82478a4709b19d0
MD5 hash: 4cff3ae835812ec90d603fa14bf7290f
humanhash: lithium-solar-venus-comet
File name:ArbitrjMA4E2328cbjh-YTKFM8RVL958427ZIXJIL.vbs
Download: download sample
File size:4'971'912 bytes
First seen:2026-04-17 14:35:46 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 49152:geOtozvwz4H9w+CRLHee+xnHiWIsdd3aUGhLOChYVFjdHZHCvAJ1egJYBrIN:J
Threatray 69 similar samples on MalwareBazaar
TLSH T143363370BF810E570A90033AB16F6F2B6F3E4D638B0DE5EB95D992D3355EA42425F0A4
TrID 77.7% (.MIZ) Mizar article (with rem) (10500/1/3)
22.2% (.CNT) Help File Contents (3000/1/1)
Magika vba
Reporter abuse_ch
Tags:ESP geo vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61994/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e2456245787c53e53a9d8d
Tags:
n/a
Verdict:
Malicious
Labled as:
Agent
Link:
https://www.hybrid-analysis.com/sample/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a
Verdict:
Malicious
File Type:
text
First seen:
2026-04-17T11:59:00Z UTC
Last seen:
2026-04-19T10:29:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1900217
Signature
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
Score:
37%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
CAB:COMPRESSION:MSZIP
Link:
https://app.malva.re/file/4cff3ae835812ec90d603fa14bf7290f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a/
Verdict:
Malicious
Threat:
Trojan.Script.SAgent
Link:
https://tip.neiki.dev/file/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-17 14:36:47 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gj5kirztzh4neeaojq5s7m624fd7e42ky5wmedukrlsqn25rzbna._file
Verdict:
malicious
Label(s):
grandoreiro
Create hunting rule
Similar samples:
11e1d45cd4af13e86e1622b1935a203d3ca88c83a88f0c21d90f172b78dceac3
141b2251a5c44a0dc80f8bedaf43dcb35d31611d363ad444fdd4ddf119ad10c7
165ee7f331edb59e0da1fa4968950b4c56f595ffdb60e8be5a1adfd8405a045d
70f143db2bfc3f3acda1fde1af213eeb3cda22df026316611603a5a9105f6788
77123bc1f558de321e9ee3924b340819a9bb60a4cd3ef402a677c366ae99b1be
95f4d28836c9c99435618ae66a2e9224cb735da18c13f87754cd2326ab296719
c5887d288394ed19f6c0910cb580e75203cbcb08802eb77cb7bc94f04e800d88
e32facc30e91c9ca16779738f75322b47c78c7993f191e0edf387cd32baf518b
e6df65bbcc3339a4c6d6572841e444e206a02c5b9baf0b01d7bfa3ed3832b58b
error
fcb409d0edd39e50418d09f2187a1e802b0c93ddf476f8d0c61c7f93fef3d887
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/260417-r64bnscv9s/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

iso faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349

Visual Basic Script (vbs) vbs 327aa44733c9f8d2100e4c3b2fb3dae147f2734ac76cc20e8a8ae506ebb1c85a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3824487/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61994/
  
Dropped by
SHA256 faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349
  
Dropped by
MD5 a83b39f647ef100c992ea19f7c5a9595

Comments