MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686
SHA3-384 hash: 7fcdc471adcd6cadd763cbb4ab1acfced902ba4a7b319ecebc17cbdef55ffd3d441e8c20df2c7afee289dae23dd8b01b
SHA1 hash: 793dc3d85139c41396d22b341c3840fffd5f4e8a
MD5 hash: 17e11f6f7d064992deeb632e62b64e8e
humanhash: one-ohio-ink-kansas
File name:10700_SR_EN.pdf.vbs
Download: download sample
File size:3'067 bytes
First seen:2023-10-04 03:40:04 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:ek/1VwMSCgcHnv/u6CCB+Tqo7oESQdfRJ0daRJCz0nvzE634:e8UCgyv/uUBGl5zRJ9RJBvzQ
Threatray 72 similar samples on MalwareBazaar
TLSH T1D0518399F4276AF0830B77A1EEA64009AEF1922729216025BFDC8C5C4F411F9A3C173A
Reporter 1ZRR4H
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.22495.20338.16646.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Cert.Downloader.1.Generic
Link:
https://www.hybrid-analysis.com/sample/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1319163
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Potential malicious VBS script found (suspicious strings)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686/
Threat name:
Win32.Downloader.Cert
Create hunting rule
Status:
Malicious
First seen:
2023-09-30 05:04:33 UTC
File Type:
Text (VBS)
AV detection:
8 of 22 (36.36%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kflu5hoab3fhlibf7y2ookneq5re4hzpo4iamgh7m7h7xafdm2da._file
Verdict:
malicious
Similar samples:
3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786
591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6
611f5ffa068e79b43ee99f31b5ac20bdc5684d5c1bca049f7b14f58cb8cb118a
7a79cf6ab813112071252ed1e256467023499c58f501a6404d7fd7e3ddd3bc22
9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd
9e654f6b86c026d9927cb396a09c509eff0f2df0555616d1d473827278a35040
cd10d150eef5383972a6c479e1c85f259874828aa33aae2da36b118b4fcc6961
ec0898d88ee59ee97415deedbc28c6754a4bf83c1443d10e9cd0deeb219f0deb
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231004-d8rtrsag34/
Behaviour
Creates scheduled task(s)
Script User-Agent
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Certutil_Decode_OR_Download
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Certutil Decode
Reference:Internal Research
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments