MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4
SHA3-384 hash: 364ea5e368e84c4ad1d68f647b2f806e4b4c4ade63b394987f6eb6acbc802a018c4c7e96968e3f1f1ff58767dc1f69c1
SHA1 hash: 083157b7f29754c63fd6886ed8cd449664bebdc3
MD5 hash: e1603b71c745388e65c9562a799e5753
humanhash: victor-michigan-wisconsin-pip
File name:documentos DHL.vbs
Download: download sample
File size:195'314 bytes
First seen:2022-11-04 07:45:34 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:mAAAAAAAAAAAAgAAAAAAAAAAAA93AAAAAAAAAAAAmAAAAAAAAAAAAH2AAAAAAAAE:XO3
Threatray 13 similar samples on MalwareBazaar
TLSH T1E0141931BAE81596B0F3464B6D37F1D41B7F3DE829229E0882CC694E1EFDA14451A7F2
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:DHL vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328375/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63393919.21849.2803.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6364c341a8436570d7408440/reports/27b5a1c3-38e8-4422-9ca5-1048cc0c57a2/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105218
Signature
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 00:43:52 UTC
File Type:
Text
AV detection:
6 of 40 (15.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njro7yltvhxn6elvuixapfkhwr3ifccqagnaqr2jdugwwyphv62a._file
Verdict:
malicious
Similar samples:
24f106d58c742c28bb292ff2901ef26a867f2a3e635ac8211ab47ce53c02c825
27b88ba823d01556991af14ca81adee4121dbde24bc469c51f00ffa63d21d2e3
48ca2d86d3f94d2ec77c7bde9744f9c967186e7d6d61d7b72ff8e03858dfa838
584bd954035020f5bf4699ff5c1e345b915df35c618aaa85d70d8fd2666a5809
857c7dc4b88d6fa4751d23d732784204fdf452114f4135437579e3cfe4ba452d
c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574
eb315f25a82f07dac9c40b3eac6db816a46ed3755f79d01a64c1681e148bee82
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221104-jlztrafbem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://20.106.255.48/dll/nostartup.pdf
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/328375/

Comments