MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965
SHA3-384 hash: a9c57b9cceb8d860c692f80b520139bfccc8b7789338b00a16616c5a8757538368c4df4d289477afefdce54b89de0d69
SHA1 hash: ff6f3b93df69a7960cd9b20448dc522c5f715dd5
MD5 hash: 88e5c48cd7d0ba596c136967b28803aa
humanhash: purple-minnesota-alpha-shade
File name:JoseTomas.pdf.vbs
Download: download sample
File size:2'273 bytes
First seen:2026-04-11 20:24:28 UTC
Last seen:2026-04-13 17:08:22 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:w2QkMAqHP43J0dS5uTgD/A3Nnsk6Afo8/uS:KkUP4ZkS56kUf6qo8mS
TLSH T1B641B5EFE5169738CE438274016A6C9DDF12E63B1502A050FA8C4945BB149B1F3A53DB
Magika vba
Reporter smica83
Tags:refundonex-com vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
55
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61185/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69daae0c66ab6d001dd164ad
Tags:
phishing xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes anti-vm base64 crypto fingerprint form masquerade obfuscated opendir powershell
Link:
https://www.filescan.io/uploads/69daae01799d5bf325f8043f/reports/a1a2c542-de9c-4dc6-869c-ddbc65a03af0/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/VBS.Agent.f
Link:
https://www.hybrid-analysis.com/sample/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-11T17:49:00Z UTC
Last seen:
2026-04-13T12:31:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1896937
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: VolumeShadowCopy Symlink Creation Via Mklink
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic JS Downloader
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1896937 Sample: JoseTomas.pdf.vbs Startdate: 11/04/2026 Architecture: WINDOWS Score: 100 129 winup.su 2->129 131 shed.dual-low.part-0012.t-0009.t-msedge.net 2->131 133 8 other IPs or domains 2->133 159 Malicious sample detected (through community Yara rule) 2->159 161 Yara detected Generic JS Downloader 2->161 163 Yara detected UAC Bypass using CMSTP 2->163 165 17 other signatures 2->165 12 wscript.exe 16 2->12         started        17 powershell.exe 2->17         started        19 wscript.exe 2->19         started        21 svchost.exe 2->21         started        signatures3 process4 dnsIp5 147 refundonex.com 87.121.52.71, 443, 49681, 49685 NETERRA-ASBG Bulgaria 12->147 125 C:\Users\user\...\ps_2026411_16358_704.ps1, ASCII 12->125 dropped 127 C:\Users\user\...\JoseTomas.pdf[1].ps1, ASCII 12->127 dropped 181 System process connects to network (likely due to code injection or exploit) 12->181 183 VBScript performs obfuscated calls to suspicious functions 12->183 185 Suspicious powershell command line found 12->185 191 3 other signatures 12->191 23 powershell.exe 14 46 12->23         started        28 msedge.exe 65 406 12->28         started        30 wscript.exe 17->30         started        32 conhost.exe 17->32         started        187 Wscript starts Powershell (via cmd or directly) 19->187 189 WScript reads language and country specific registry keys (likely country aware script) 19->189 34 powershell.exe 19->34         started        149 127.0.0.1 unknown unknown 21->149 file6 signatures7 process8 dnsIp9 135 winup.su 87.121.52.72, 443, 49729, 49735 NETERRA-ASBG Bulgaria 23->135 111 C:\Users\user\AppData\Roaming\...\update.ps1, ASCII 23->111 dropped 113 C:\Users\user\AppData\...\launcher.vbs, ASCII 23->113 dropped 115 ceecc1595-a4d6-41c...ae-feb7fcac4544.ps1, Unicode 23->115 dropped 167 Encrypted powershell cmdline option found 23->167 169 Found suspicious powershell code related to unpacking or dynamic code loading 23->169 171 Loading BitLocker PowerShell Module 23->171 36 powershell.exe 23->36         started        39 powershell.exe 23->39         started        41 conhost.exe 23->41         started        137 192.168.2.7, 138, 443, 49672 unknown unknown 28->137 139 239.255.255.250 unknown Reserved 28->139 43 msedge.exe 25 28->43         started        46 msedge.exe 28->46         started        55 3 other processes 28->55 173 Suspicious powershell command line found 30->173 175 Wscript starts Powershell (via cmd or directly) 30->175 177 WScript reads language and country specific registry keys (likely country aware script) 30->177 48 powershell.exe 30->48         started        51 powershell.exe 34->51         started        53 conhost.exe 34->53         started        file10 signatures11 process12 dnsIp13 109 C:\Users\user\AppData\...\houuuryh.cmdline, Unicode 36->109 dropped 57 csc.exe 36->57         started        75 2 other processes 36->75 60 csc.exe 39->60         started        62 conhost.exe 39->62         started        141 part-0012.t-0009.t-msedge.net 13.107.213.40, 443, 49709, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->141 143 part-0010.t-0009.t-msedge.net 13.107.246.38, 443, 49682, 49743 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->143 145 20 other IPs or domains 43->145 151 Suspicious powershell command line found 48->151 153 Encrypted powershell cmdline option found 48->153 64 powershell.exe 48->64         started        67 powershell.exe 48->67         started        69 conhost.exe 48->69         started        71 powershell.exe 51->71         started        73 conhost.exe 51->73         started        file14 signatures15 process16 file17 117 C:\Users\user\AppData\Local\...\houuuryh.dll, PE32 57->117 dropped 77 cvtres.exe 57->77         started        119 C:\Users\user\AppData\Local\...\cdpjc0jy.dll, PE32 60->119 dropped 79 cvtres.exe 60->79         started        155 Encrypted powershell cmdline option found 64->155 81 powershell.exe 64->81         started        84 conhost.exe 64->84         started        86 powershell.exe 67->86         started        88 conhost.exe 67->88         started        121 C:\Users\user\AppData\Local\...\j44yy2fn.0.cs, Unicode 71->121 dropped 90 csc.exe 71->90         started        signatures18 process19 file20 157 Tries to harvest and steal browser information (history, passwords, etc) 81->157 93 cmd.exe 81->93         started        96 csc.exe 81->96         started        99 cmd.exe 86->99         started        101 cmd.exe 86->101         started        123 C:\Users\user\AppData\Local\...\j44yy2fn.dll, PE32 90->123 dropped 103 cvtres.exe 90->103         started        signatures21 process22 file23 179 Tries to harvest and steal browser information (history, passwords, etc) 93->179 107 C:\Users\user\AppData\Local\...\nqkz5ndv.dll, PE32 96->107 dropped 105 cvtres.exe 96->105         started        signatures24 process25
Score:
14%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965/
Verdict:
Malicious
Threat:
Trojan-Downloader.Script
Link:
https://tip.neiki.dev/file/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-11 20:25:53 UTC
File Type:
Text (VBS)
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iojzd422nt747iogzm7f5dzf5vafltiqmzfh5hwuhdoq7xg2tfsq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution ransomware
Link:
https://tria.ge/reports/260411-y6z3ksbv4s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Indicator Removal: File Deletion
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61185/

Comments