MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df
SHA3-384 hash:	a390bd7d1f323e83114980276151c8a6ebd284c76438d8104f48965a704493340605ef8ea750bdd4883dc4a8f8c5335f
SHA1 hash:	5eb9ebe7b853dc4bb3167f7d935ee9b62ab9fbb0
MD5 hash:	e02b999dc0c9c4bba51b28c6e733055a
humanhash:	lake-west-early-vermont
File name:	1040documentpdf.vbs
Download:	download sample
Signature	DarkGate Alert Create hunting rule
File size:	5'580 bytes
First seen:	2024-03-05 20:38:11 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	96:wwUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0I:wwU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9u
TLSH	T1E2B13203F91B8E34F0526E856A5B9462A6320047FBE5B1C57B9DCBCD93C3A3994F3960
Reporter	rmceoin
Tags:	DarkGate vbs

rmceoin

91.92.245.222/Downloads/1040doc_pdf.lnk
lastmodified: Tue, 05 Mar 2024 09:29:11 GMT
LNK -> mshta http://168.100.8.242/dc001/1040_document_pdf -> http://168.100.8.242/dc001/1040documentpdf.vbs

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

194

Origin country :

US

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

SecuriteInfo.com.HEUR.Trojan-Downloader.Script.Generic.27589.2801.UNOFFICIAL

Alert

Create hunting rule

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

cscript lolbin powershell

Link:

https://www.filescan.io/uploads/65e782e6f4f4cdd404eb9256/reports/64c26699-9247-4e55-9541-258e8712a732/overview

Hybrid Analysis Trojan.Generic

Verdict:

Suspicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1403686

Signature

Potential malicious VBS script found (suspicious strings)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

0%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df/

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jwdpdeoe26swqqiwwzywdbtj5qv5226aqm37ujlty5ztq2quwlpq._file

Threatray unknown

Verdict:

unknown

Hatching Triage darkgate

Result

Malware family:

darkgate

Alert

Create hunting rule

Score:

  10/10

Tags:

family:darkgate botnet:xr_itzx001 stealer

Link:

https://tria.ge/reports/240305-ze9y5shg65/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

DarkGate

Detect DarkGate stealer

Malware Config

C2 Extraction:

45.140.146.2

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df