MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f
SHA3-384 hash: 458013bc05773213167db26ba9dad8512b42e62fc5ac243e964c2e33037993fbaf7eb8fdc277e194bb48f290c5f030e5
SHA1 hash: 9ceb2953fdc54732f8fd1c3247b395f7597aed13
MD5 hash: c8158b8b24173de5abd0008e90d07d45
humanhash: ten-wyoming-georgia-quebec
File name:Remittance-current-order.vbs
Download: download sample
File size:20'840 bytes
First seen:2022-11-10 07:25:47 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:VzRYNZ/6uKClbo5huozUSQNFr4cMxfOwQS41VqWnCc0ov0ZEiy1UfZc/uP0:rY//6bGWOSQNu3R41VqWnCI1YquP0
Threatray 3'118 similar samples on MalwareBazaar
TLSH T1B392E3984FAB119D116352FBAA4E1139E914C4FB445088B6BC2EF8758E443613EFD88F
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331758/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.VBS.SAgent.gen.10305.25730.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/636ca78d20a0b4943a8eb412/reports/88981b00-fd79-4229-aa82-dcc135385942/overview
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1110128
Signature
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742809 Sample: Remittance-current-order.vbs Startdate: 10/11/2022 Architecture: WINDOWS Score: 84 36 Malicious sample detected (through community Yara rule) 2->36 38 Sigma detected: Dot net compiler compiles file from suspicious location 2->38 40 Potential malicious VBS script found (suspicious strings) 2->40 42 Machine Learning detection for dropped file 2->42 8 wscript.exe 1 2->8         started        process3 signatures4 44 VBScript performs obfuscated calls to suspicious functions 8->44 46 Wscript starts Powershell (via cmd or directly) 8->46 48 Obfuscated command line found 8->48 50 Very long command line found 8->50 11 powershell.exe 15 26 8->11         started        15 cmd.exe 1 8->15         started        process5 dnsIp6 34 drive.google.com 142.250.203.110, 443, 49717 GOOGLEUS United States 11->34 32 C:\Users\user\AppData\...\zqgnrvk0.cmdline, Unicode 11->32 dropped 17 csc.exe 3 11->17         started        20 WerFault.exe 23 9 11->20         started        22 conhost.exe 11->22         started        24 WerFault.exe 11->24         started        26 conhost.exe 15->26         started        file7 process8 file9 30 C:\Users\user\AppData\Local\...\zqgnrvk0.dll, PE32 17->30 dropped 28 cvtres.exe 1 17->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow3frgv3ihh6426xuw7wmi36m6ox66rahg5siticzh5pdvupwopq._file
Verdict:
malicious
Similar samples:
2eafbf195ee3064026099a6f5f6c78aaaae170c9fb81a5f49f501bf0f061cfd4
39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
678f361d622c482253df9b834e978f8f3ca254fc5549381817dc75431005a047
6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb
+ 3'108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221110-h9hppsfgg7/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Visual Basic Script (vbs) vbs 75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/331758/

Comments