MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c6e56b9362f545d62c2bc2833df72b50858280027190459e72288abb9306118. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c6e56b9362f545d62c2bc2833df72b50858280027190459e72288abb9306118
SHA3-384 hash: 873f6a72151885ef4200da168126240d36d05be2e357da2ff8aee0f2259d65ddc5c17690f359ef7f5635c9d184762937
SHA1 hash: 1cca36cf0ac02f120104259f9806bcb350f9a07c
MD5 hash: 222ee00e12ecf54088fbecb26f801f59
humanhash: victor-carbon-bulldog-black
File name:KROPO_CLEAN.vbs
Download: download sample
File size:12'350 bytes
First seen:2022-05-08 03:23:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:zbxGT/ts1INOZWaZD8OZWaZ53HupkXqjxEQfjMO:zNGT/tsWKWapzWanH4kXQWQfYO
Threatray 61 similar samples on MalwareBazaar
TLSH T1DF42423B4B62C1E1913F00B5D503888ED0D6A4632B296366DD84F9D9E1ED1933FE91AF
Reporter petikvx
Tags:joke kropo vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269293/
Detection(s):
SecuriteInfo.com.JS.Downloader-24.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
schtasks.exe wacatac
Link:
https://www.filescan.io/uploads/627737dea40dfc4df20e35fa/reports/b32d716a-511e-4d92-889a-6f63d49d8fb3/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/989631
Signature
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622127 Sample: KROPO_CLEAN.vbs Startdate: 08/05/2022 Architecture: WINDOWS Score: 68 27 Multi AV Scanner detection for submitted file 2->27 29 Potential malicious VBS script found (suspicious strings) 2->29 31 Potential malicious VBS script found (has network functionality) 2->31 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 33 System process connects to network (likely due to code injection or exploit) 8->33 35 Uses schtasks.exe or at.exe to add and modify task schedules 8->35 13 wscript.exe 159 165 8->13         started        17 schtasks.exe 1 8->17         started        process5 dnsIp6 25 kropo.hugii.repl.co 35.186.245.55, 443, 49758, 49762 GOOGLEUS United States 13->25 37 System process connects to network (likely due to code injection or exploit) 13->37 19 schtasks.exe 1 13->19         started        21 conhost.exe 17->21         started        signatures7 process8 process9 23 conhost.exe 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c6e56b9362f545d62c2bc2833df72b50858280027190459e72288abb9306118/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 05:00:00 UTC
File Type:
Text (VBS)
AV detection:
7 of 42 (16.67%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0af3d57056580eb2ce6503c353bb007ddab908d40968e5a33086a770431b6ed7
623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
62540ba573e873b816d3d956132804254a23207e6bfc9f7a371a68f5aa8090ce
6c4ef32846873a184c52ef2b4a195462a46dccfd859dfb1ec0bece847e4c0dc9
7ae649393a0e8146b5d757be5088e46013370615f13e78147e6221b63903684d
7daaa4243defe65c268ff3063dc9de50f271bbeeba3e87bda8928a60e5a02a9a
d816d0e9fd381db98680a65ab54c5be2f4fe406d88f12a8518ed50c2aa25b1ee
e0178fa193e55b4761ccb0022ee8de95e537da9e29739d5740e690eb92d4085a
edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
f104c309cc5489cd6894f2cfb9a3860a37378e2a36a6d97f4e7cd71a34d46970
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220508-dx1yashafp/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c6e56b9362f545d62c2bc2833df72b50858280027190459e72288abb9306118

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269293/

Comments