MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90
SHA3-384 hash: a1171418ae7c2579268b859a1514a64d532f413926ec56f8d535f553c5a733cbee050fc50ce953971001d352d8df03d2
SHA1 hash: 84bca01f9b1b14cb664486137832b97144e823c9
MD5 hash: a51ac08d9fab5ef6b2904ad62cd68e37
humanhash: network-harry-mars-london
File name:PO#MAIN450000000227897_Sraco_Doc.vbs
Download: download sample
File size:356'524 bytes
First seen:2026-04-14 06:54:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:f/yMXwCGjDm2U4F7JpmEngGyDanqI9cbeOaRcPgBQcTM++uPK1ODZnGj1kzxI0NP:f/lFGm2XJpmEng/Dan3cbelOPgGcgmPH
Threatray 145 similar samples on MalwareBazaar
TLSH T1D6747C6162E9242BB9F33B24A8B52085C69FBE139F5B841C109715ED47B09808FF57BF
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika autohotkey
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61475/
Detection(s):
Sanesecurity.Malware.27117.HtaHeur.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dde4aa45787c53e5397da3
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/69dde4a45ea31bc68a28ac95/reports/5cf70c48-4214-45b9-a6e0-16a6f984c672/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-14T02:15:00Z UTC
Last seen:
2026-04-16T00:45:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90/results?tab=lookup
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897850
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queues an APC in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897850 Sample: PO#MAIN450000000227897_Srac... Startdate: 14/04/2026 Architecture: WINDOWS Score: 100 37 twc.trafficmanager.net 2->37 39 time.windows.com 2->39 41 2 other IPs or domains 2->41 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Capture Wi-Fi password 2->61 63 Yara detected Generic Stealer 2->63 65 10 other signatures 2->65 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 75 VBScript performs obfuscated calls to suspicious functions 10->75 77 Wscript starts Powershell (via cmd or directly) 10->77 79 Bypasses PowerShell execution policy 10->79 81 3 other signatures 10->81 16 powershell.exe 15 18 10->16         started        49 127.0.0.1 unknown unknown 13->49 signatures6 process7 dnsIp8 35 gtps4change.org 192.185.99.13, 443, 49681 UNIFIEDLAYER-AS-1US United States 16->35 51 Early bird code injection technique detected 16->51 53 Creates an undocumented autostart registry key 16->53 55 Writes to foreign memory regions 16->55 57 3 other signatures 16->57 20 RegAsm.exe 26 16->20         started        24 conhost.exe 16->24         started        signatures9 process10 dnsIp11 43 ip-api.com 208.95.112.1, 49682, 80 TUT-ASUS United States 20->43 45 twc.trafficmanager.net 168.61.215.74, 123, 55963 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->45 47 107.172.135.18, 4449, 49683 AS-COLOCROSSINGUS United States 20->47 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->67 69 Contains functionality to start a terminal service 20->69 71 Contains functionality to hide user accounts 20->71 73 8 other signatures 20->73 26 cmd.exe 2 20->26         started        signatures12 process13 signatures14 83 Uses netsh to modify the Windows network and firewall settings 26->83 85 Tries to harvest and steal WLAN passwords 26->85 29 netsh.exe 2 26->29         started        31 conhost.exe 26->31         started        33 chcp.com 1 26->33         started        process15
Score:
23%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-14 06:54:40 UTC
File Type:
Text (VBS)
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hycctoq3w65so5i3pp35d5wjkyp74xonihoz557pnul7bmfctoia._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
0464a153095ca27becc740b81fe862a22fcb2b8988492d0e93c115dff45ea480
0563f9e1d0fe8c2cf932f55fb8341ee86c1d1ee7d1be5d99f929db36d92dcf97
206bc809554c8877ae3ddff321ce2a637a122451a24482eac52d5606680f4488
2d9d3c0cfdca2e96c13788f38464066ace526326cb887a0f7dc50f9e5be17aad
435bceaf240dd7711542a723a6988b280948e77e9953614d981d653680de9f49
728e75ae848ac62aa705ed4e4c000dd3dfa2a4cf70a5adfbc56c5a9d2b017792
d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
error
+ 135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260414-hpe33sgy6v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61475/

Comments