MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d
SHA3-384 hash: 5acc8825a540383cb022851023b9f73b06b274238c6aa181234d7e20b5e13667722594c29a3327d9cc7c8703b33989d0
SHA1 hash: 2cfc8fe093aa0539d07c7f12add6f917a4cda7ec
MD5 hash: 5c0d70340c9228c9c30d14551566cdc5
humanhash: island-helium-princess-orange
File name:OB74.vbs
Download: download sample
File size:4'924 bytes
First seen:2021-05-03 13:42:03 UTC
Last seen:2021-05-03 14:01:44 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:GwAyv0xZ6hbfGUcSyLBd+mCX9CqMi9Yki+9+uoTGKhOwMv:PAxZ6hrGecB2sAYkigpoib/
Threatray 190 similar samples on MalwareBazaar
TLSH FEA13EC4F4448C70C035DE2B880A46FB85785EE70198932EFFAF58646CDCF3082A825C
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148514/
Detection(s):
SecuriteInfo.com.Trojan.VBS.SAgent.gen.26965.2557.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707979
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Potential evasive VBS script found (sleep loop)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: APT29
Sigma detected: Drops script at startup location
Sigma detected: EvilNum Golden Chickens Deployment via OCX Files
Sigma detected: PowerShell DownloadFile
Sigma detected: Ryuk Ransomware
Sigma detected: Suspicious Eventlog Clear or Configuration Using Wevtutil
Sigma detected: System File Execution Location Anomaly
Sigma detected: UNC2452 Process Creation Patterns
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402909 Sample: OB74.vbs Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 35 clientconfig.passport.net 2->35 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: APT29 2->51 53 Sigma detected: UNC2452 Process Creation Patterns 2->53 55 9 other signatures 2->55 8 wscript.exe 8 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\...\Chrome.vbs, ASCII 8->31 dropped 59 VBScript performs obfuscated calls to suspicious functions 8->59 61 Wscript starts Powershell (via cmd or directly) 8->61 63 Potential evasive VBS script found (sleep loop) 8->63 65 2 other signatures 8->65 14 powershell.exe 14 16 8->14         started        19 powershell.exe 12 12->19         started        signatures6 process7 dnsIp8 41 ia601502.us.archive.org 207.241.227.112, 443, 49699 INTERNET-ARCHIVEUS United States 14->41 33 C:\Users\Public\Documents\Oneman.htm, PE32 14->33 dropped 43 Writes to foreign memory regions 14->43 45 Injects a PE file into a foreign processes 14->45 47 Powershell drops PE file 14->47 21 jsc.exe 15 2 14->21         started        25 conhost.exe 14->25         started        27 jsc.exe 3 19->27         started        29 conhost.exe 19->29         started        file9 signatures10 process11 dnsIp12 37 ipwhois.app 136.243.172.101, 443, 49700 HETZNER-ASDE Germany 21->37 39 hostmeisgood.publicvm.com 54.91.196.22, 310, 49701 AMAZON-AESUS United States 21->39 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->57 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 13:42:09 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pssnqkr4ldg6j7x2xbsh6r36ykpjanihzgjbfrvokotiairdii6q._file
Verdict:
malicious
Similar samples:
44ea4b14ee643709c87800d407e19e45d9f6a1f3bea15c00de3afcfba2614e8a
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
51ad568171d6a835bc1edd45cfe1fee659085dfc4522ac3d93c1458688d44bd5
572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
810bbf258484b94bf2e51c7fba2f8a19f6aaf1137c982d2d6a97e600159c16fa
904a518a8c867a1fd79e963fcdd317aa9f5a76eb6964b027cb0566d4a87102d7
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
b7f09be3bf95632ac3219b3d402a419e9bc40a54a3fc6ac1c57c183798e525fe
ee1b2c9bdba344c7fe2dc2bec7544a038ad64dbed6add636ecdd426079296c28
+ 180 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210503-gb5en1zn8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148514/

Comments