MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b899673b5d5b1c4f424373bd6090269d90bc5ff34479a261192f12ebb028a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49b899673b5d5b1c4f424373bd6090269d90bc5ff34479a261192f12ebb028a0
SHA3-384 hash: b21bbe5cf33d3a5ba5d3ae347d5bc56377460333ccca4c5422396bc4c8888702df076bca85ef226c2e4acefbf73319b7
SHA1 hash: 5a82c6f818b4c70d89710cbc8cc44357c8e2dc69
MD5 hash: e188ca13bcfdcefbf689e935b4c6d8f9
humanhash: cup-green-mango-music
File name:Votre relevé fiscal.vbs
Download: download sample
File size:457 bytes
First seen:2022-04-16 06:17:13 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:xPWJCitMlFWZRmV2oaT/kTr5rF3db4DDfoIWr8:xD14o2oEcjdKroIWr8
TLSH T184F0DCE89E88D9C837411CE2C4B10052C9B2ECC0078E2840A8ACC8EB8F71E4C78A80CF
Reporter abuse_ch
Tags:FRA geo vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264079/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/625a5f9bffe27d5119e39223/reports/5ffcb312-b0f0-4614-8cba-07a654cf1e8c/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977621
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610108 Sample: Votre relev#U00e9 fiscal.vbs Startdate: 16/04/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 4 other signatures 2->54 7 wscript.exe 3 1 2->7         started        11 wscript.exe 1 2->11         started        13 wscript.exe 1 2->13         started        process3 dnsIp4 40 SQL8001.site4now.net 199.102.48.251, 1433, 49773 ZCOLO-LAS01US United States 7->40 56 System process connects to network (likely due to code injection or exploit) 7->56 58 Wscript starts Powershell (via cmd or directly) 7->58 15 powershell.exe 14 17 7->15         started        20 powershell.exe 6 7->20         started        22 powershell.exe 11->22         started        signatures5 process6 dnsIp7 44 pastetext.net 188.114.96.7, 443, 49774 CLOUDFLARENETUS European Union 15->44 34 C:\Users\Public\rzuv9buyqr.PS1, UTF-8 15->34 dropped 46 Drops VBS files to the startup folder 15->46 24 powershell.exe 24 15->24         started        28 conhost.exe 15->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        file8 signatures9 process10 dnsIp11 42 185.81.157.172, 49775, 49780, 49873 INU-ASFR France 24->42 36 C:\Users\...behaviorgraphoogleChromeUpdateHandlerx64.vbs, ASCII 24->36 dropped 38 C:\Users\...behaviorgraphoogleChromeUpdateHandler.vbs, ASCII 24->38 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49b899673b5d5b1c4f424373bd6090269d90bc5ff34479a261192f12ebb028a0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jg4jszz3lvnryt2cinz32yeqe2ozbpc76nchtitbdexrf25qfcqa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220416-g2lkysdcbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://pastetext.net/raw/rzuv9buyqr
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49b899673b5d5b1c4f424373bd6090269d90bc5ff34479a261192f12ebb028a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Visual Basic Script (vbs) vbs 49b899673b5d5b1c4f424373bd6090269d90bc5ff34479a261192f12ebb028a0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264079/

Comments