MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc
SHA3-384 hash:	e1f7b5d0f72e0a5745c31a8838db9a6f3102d755b8d1a4f9332db48031ae2d45104af4c647e662f6f07fc96580689c2f
SHA1 hash:	091bb6741e7af77d50ade06ae11e5ba115693420
MD5 hash:	dbae72cfaaab94b4170580a895c292e1
humanhash:	april-coffee-foxtrot-magnesium
File name:	project_sample2026.vbs
Download:	download sample
File size:	6'687 bytes
First seen:	2026-01-27 19:01:18 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	96:4/4XAWEm/zddjpUH05OvJ6FBM/WD9DuC4iNGlp0ovOI6q/02/JGbPj:619m/B3OvJ6HM/E6lWoG3q/N/IL
Threatray	1'460 similar samples on MalwareBazaar
TLSH	T17CD1850FBE07532449B2433B8414E45FE4E8173B85261C58BDCC8449AF7276DEAD3AEA
Magika	vba
Reporter	Anonymous
Tags:	vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/50428/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69790ba1bec9764f452f6302

Tags:

shellcode dropper shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cscript evasive lolbin msiexec powershell wscript zero-day

Link:

https://www.filescan.io/uploads/69790b9a09c19dc155843b44/reports/18106ec5-9935-4a9e-a432-7ac36ac39345/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc

Verdict:

Malicious

File Type:

vbs

First seen:

2026-01-27T18:17:00Z UTC

Last seen:

2026-01-27T18:45:00Z UTC

Hits:

~10

Detections:

Trojan.JS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.VBS.SAgent.gen

Link:

https://opentip.kaspersky.com/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc/results?tab=lookup

Score:

17%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc/

Verdict:

Malicious

Threat:

Trojan.JS.SAgent

Link:

https://tip.neiki.dev/file/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc

Threat name:

Text.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-27 18:55:04 UTC

File Type:

Text (VBS)

AV detection:

6 of 38 (15.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hdffkaxpgdrz4x7fxjsynh3uf5rjsetevojpodj7z36hue3dlpoa._file

Verdict:

malicious

Label(s):

admintool_screenconnect

3736f158f14a152920163270add0c7b202650ea3524ab584e3ce91088e1bccb0

8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d

9ca59c490d09fbcc068f6cf7cc15842f236e748508b18bf09f8b1f0ca9d7147c

aa0d5f98bb9ef620d8ade9669e88def0a2833158e19ebb7eae8b5bfb23f7ea17

aae9aeae9cad1d3f39698f3e63f06ea1158d59ba9d076ce82591b21600ee91c3

bf92565ecb6829f4f9db90a32d03880df007ace6ccd602ae6d63f808fe90b057

cbf7df1af41eef6b0dcf10f83bc7e2f87b3a52e4ada555334336e3c0c070a269

d09a41581c732f175b4017608a74afd636cc32bde5f56e3d9bd1ca53ef6ec29c

dbd971eeb2ed0f64f223a7cff200535302f999a458b6bf9b906c2c94dce9cd36

error

+ 1'450 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery execution persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/260127-xpql5sct3c/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/50428/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample