MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef
SHA3-384 hash: 8905a8de0d5998dc62e84540c835d9f28a0e27d74463086d71ecd823cbb136c8b501563245cef4abf5814efaad4b0de0
SHA1 hash: d629dbba53383f1275653b4097387939de9f0727
MD5 hash: f7155891d79a7d096ceea86c35ff150c
humanhash: salami-summer-double-cup
File name:812100000HU012100.vbs
Download: download sample
File size:89'718 bytes
First seen:2025-09-02 08:23:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:/VVVVVVVVxyiwaK5HeXQj2a+Lrar9Tlf0AAhuwnIr7kOPWVVVVVVVVVVVVVVVV7:srZia+Le/0AAh+XfPC
TLSH T1D693390EB6EF40487072AF55AE9362B65B7B7D66257CD08941CC26090FD3A40DCA1BFB
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24682/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b580193e988eb6ab837ebd
Tags:
xtreme shell sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68b6ab461c81c34281db5e98/reports/5536ca74-40b0-49fe-9b26-7dd4e16265a6/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-01T08:32:00Z UTC
Last seen:
2025-09-01T08:32:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1769340
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powershell cmdlets to delay payload execution
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1769340 Sample: 812100000HU012100.vbs Startdate: 02/09/2025 Architecture: WINDOWS Score: 100 160 xtadts.ddns.net 2->160 162 webdot.ddns.net 2->162 164 5 other IPs or domains 2->164 180 Suricata IDS alerts for network traffic 2->180 182 Malicious sample detected (through community Yara rule) 2->182 184 Multi AV Scanner detection for submitted file 2->184 188 11 other signatures 2->188 13 wscript.exe 1 2->13         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        20 4 other processes 2->20 signatures3 186 Uses dynamic DNS services 162->186 process4 signatures5 234 VBScript performs obfuscated calls to suspicious functions 13->234 236 Suspicious powershell command line found 13->236 238 Wscript starts Powershell (via cmd or directly) 13->238 240 3 other signatures 13->240 22 powershell.exe 7 13->22         started        25 powershell.exe 16->25         started        27 powershell.exe 18->27         started        29 powershell.exe 20->29         started        31 powershell.exe 20->31         started        33 powershell.exe 20->33         started        35 5 other processes 20->35 process6 signatures7 198 Suspicious powershell command line found 22->198 200 Encrypted powershell cmdline option found 22->200 202 Self deletion via cmd or bat file 22->202 210 2 other signatures 22->210 37 powershell.exe 14 19 22->37         started        41 conhost.exe 22->41         started        204 Uses powershell cmdlets to delay payload execution 25->204 43 powershell.exe 25->43         started        45 conhost.exe 25->45         started        47 2 other processes 27->47 206 Writes to foreign memory regions 29->206 208 Injects a PE file into a foreign processes 29->208 49 3 other processes 29->49 51 3 other processes 31->51 53 3 other processes 33->53 55 4 other processes 35->55 process8 dnsIp9 168 andrefelipedonascime1756166725866.0531865.meusitehostgator.com.br 172.64.145.200, 443, 49690, 49691 CLOUDFLARENETUS United States 37->168 136 C:\Users\user\AppData\Local\...\msthf_01.ps1, Unicode 37->136 dropped 57 powershell.exe 25 37->57         started        62 powershell.exe 43->62         started        64 powershell.exe 47->64         started        66 powershell.exe 49->66         started        68 powershell.exe 49->68         started        70 powershell.exe 51->70         started        72 powershell.exe 51->72         started        74 powershell.exe 53->74         started        file10 process11 dnsIp12 170 ktc2005.com 161.248.200.150, 443, 49692 BPL-ASNUS unknown 57->170 138 C:\Users\user\AppData\LocalLow\...\wygnh.ps1, ASCII 57->138 dropped 140 C:\Users\user\AppData\LocalLow\...\vudac.ps1, Unicode 57->140 dropped 142 C:\Users\user\AppData\LocalLow\...\ceehc.ps1, ASCII 57->142 dropped 212 Self deletion via cmd or bat file 57->212 214 Uses powershell cmdlets to delay payload execution 57->214 216 Adds a directory exclusion to Windows Defender 57->216 76 powershell.exe 57->76         started        79 cmd.exe 57->79         started        81 cmd.exe 57->81         started        89 6 other processes 57->89 172 mundocarnes.cl 131.108.211.120, 443, 49731, 49749 TECNOLOGIACHILECOMLTDATCHILECOMCL Chile 62->172 144 C:\Users\user\AppData\LocalLow\...\xpzau.ps1, ASCII 62->144 dropped 146 C:\Users\user\AppData\LocalLow\...\nrtbe.ps1, Unicode 62->146 dropped 148 C:\Users\user\AppData\LocalLow\...\fiuwd.ps1, ASCII 62->148 dropped 83 cmd.exe 62->83         started        85 cmd.exe 62->85         started        87 cmd.exe 62->87         started        91 9 other processes 62->91 150 C:\Users\user\AppData\LocalLow\...\taomq.ps1, ASCII 64->150 dropped 152 C:\Users\user\AppData\LocalLow\...\shgcl.ps1, ASCII 64->152 dropped file13 signatures14 process15 signatures16 218 Writes to foreign memory regions 76->218 220 Injects a PE file into a foreign processes 76->220 93 InstallUtil.exe 76->93         started        98 powershell.exe 76->98         started        222 Suspicious powershell command line found 79->222 224 Wscript starts Powershell (via cmd or directly) 79->224 226 Uses powershell cmdlets to delay payload execution 79->226 100 powershell.exe 79->100         started        102 powershell.exe 81->102         started        104 powershell.exe 83->104         started        106 powershell.exe 85->106         started        228 Uses ping.exe to sleep 87->228 108 PING.EXE 87->108         started        230 Uses ping.exe to check the status of other devices and networks 89->230 110 3 other processes 89->110 232 Loading BitLocker PowerShell Module 91->232 112 5 other processes 91->112 process17 dnsIp18 174 xtadts.ddns.net 103.8.27.52, 49693, 49695, 49696 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY Malaysia 93->174 176 pirminmurergestionale.com 37.156.42.108, 443, 49694, 49697 VEMGB United Kingdom 93->176 154 C:\Users\user\AppData\Local\Temp\gvzjz.vbs, Unicode 93->154 dropped 156 C:\Users\user\AppData\Local\...\bgekbuex.vbs, Unicode 93->156 dropped 158 C:\...\2bc61a3518454257b9233f326723f43c.xml, XML 93->158 dropped 242 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 93->242 244 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 93->244 246 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 93->246 250 3 other signatures 93->250 114 InstallUtil.exe 93->114         started        118 schtasks.exe 93->118         started        120 schtasks.exe 93->120         started        122 powershell.exe 98->122         started        124 powershell.exe 98->124         started        126 powershell.exe 98->126         started        248 Suspicious powershell command line found 100->248 128 powershell.exe 100->128         started        130 powershell.exe 102->130         started        178 127.0.0.1 unknown unknown 110->178 file19 signatures20 process21 dnsIp22 166 webdot.ddns.net 185.163.204.16, 1011, 49707, 49717 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 114->166 190 Tries to harvest and steal Bitcoin Wallet information 114->190 192 Installs a global keyboard hook 114->192 132 conhost.exe 118->132         started        134 conhost.exe 120->134         started        194 Creates autostart registry keys with suspicious values (likely registry only malware) 128->194 196 Creates multiple autostart registry keys 128->196 signatures23 process24
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/f7155891d79a7d096ceea86c35ff150c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef/
Verdict:
Malicious
Threat:
Trojan.Script.SAgent
Link:
https://tip.neiki.dev/file/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-01 11:14:34 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpx753ynf7r5h7sdwait7qm2v3rrhxzvh2gzcdnkxyp4haqzslxq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250902-ked45sfm7s/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Hide Artifacts: Ignore Process Interrupts
Indicator Removal: File Deletion
Network Share Discovery
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53effeef0d2fe3d3fe43b0113fc19aaee313df353e8d910daabe1fc3821992ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24682/

Comments