MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de
SHA3-384 hash: 02c75ae86f32fbe87e3ce308cbe1dc75a9be80526e2f93866487ec68edaea67859b28e950ff48f366de8e66d399f9b3f
SHA1 hash: 7e3eeb85a2174aa2cf39c5e11f2b747f4b6f8e9c
MD5 hash: a341dae0da7648a726add1df34a4ccac
humanhash: quebec-triple-uncle-missouri
File name:Reserva.vbs
Download: download sample
File size:238'968 bytes
First seen:2023-08-08 06:53:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:pOSgylSD7K3qdnX1ASODZkYHvn+AyHxR4VxMh:pOvAyRR4VxMh
Threatray 835 similar samples on MalwareBazaar
TLSH T11634A81056DF6489F1B33E520BED69E88F1BBBD15B3AA05D2048530BCBABD40CE95772
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441205/
Gathering data
Verdict:
Suspicious
Labled as:
Trojan.Script.Hworm
Link:
https://www.hybrid-analysis.com/sample/3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1287471
Signature
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1287471 Sample: Reserva.vbs Startdate: 08/08/2023 Architecture: WINDOWS Score: 96 51 uploaddeimagens.com.br 2->51 53 marcelotatuape.ddns.net 2->53 57 Multi AV Scanner detection for domain / URL 2->57 59 Sigma detected: Drops script at startup location 2->59 61 Uses dynamic DNS services 2->61 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 65 VBScript performs obfuscated calls to suspicious functions 9->65 67 Suspicious powershell command line found 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 14 cmd.exe 1 9->14         started        17 powershell.exe 7 9->17         started        71 Very long command line found 12->71 19 cmd.exe 1 12->19         started        21 powershell.exe 12->21         started        process6 signatures7 79 Wscript starts Powershell (via cmd or directly) 14->79 81 Uses ping.exe to sleep 14->81 83 Uses ping.exe to check the status of other devices and networks 14->83 23 cmd.exe 1 14->23         started        26 PING.EXE 1 14->26         started        29 conhost.exe 14->29         started        85 Suspicious powershell command line found 17->85 31 powershell.exe 5 17->31         started        33 conhost.exe 17->33         started        35 cmd.exe 1 19->35         started        37 conhost.exe 19->37         started        39 PING.EXE 1 19->39         started        41 conhost.exe 21->41         started        process8 dnsIp9 63 Wscript starts Powershell (via cmd or directly) 23->63 43 powershell.exe 9 23->43         started        55 127.0.0.1 unknown unknown 26->55 47 powershell.exe 9 35->47         started        signatures10 process11 file12 49 C:\Users\user\AppData\Roaming\...\BHPu.vbs, Unicode 43->49 dropped 73 Suspicious powershell command line found 43->73 75 Drops VBS files to the startup folder 43->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 43->77 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6jhkjka4bsy3slp55tc5d4w7fksha6ixdnfb2txa6zvoj5gixpa._file
Verdict:
malicious
Similar samples:
1e59e8c5571a9b6d800fb73c14d5fcf8a1f3623faf1adf471cb46ee7d403312c
4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef
58f1865d2fb00775add6c9d34aa504118bc962e08fba8fb79b288515320ef933
8a290b72c3abedee23df097a5dc65d879f05e2ef1c214c19be8eed0a73528e77
91bbc93a9644d680bf063f63b3f8e5d442f5d1719c88ba91a81428d7c7091e06
99b79b63630150ba46a9da0abbf186ce92677921cfb953ac8820f14235d7718e
aebe55c79817edcc4acff994e9dcb9230487092073bec48ea87448b90db1f888
c99c9b0b775ca59ecdf12e7938d0a757a54ad223d1d6ae8f1049374beda0e0c1
eb2c51d9b2d9e27bcf29aaa784a4738befab6134d18bfea0fa574bba52646b3f
+ 825 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230808-hn73gaba89/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f92752540e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Visual Basic Script (vbs) vbs 3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441205/

Comments