MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac
SHA3-384 hash:	ac534ad74c79aba81543ffc51fe9a5fa41c95052299e816c150a1389fdb4f727b9706720f8bdfefd113085d59394fab8
SHA1 hash:	071ee6dec991cbf30c9535a9cc119742dc273206
MD5 hash:	8e0172134b7f15992d6464767e423996
humanhash:	football-sad-paris-finch
File name:	Forum Amino 💬 telegram.txt 266 4elovek foto 62lx.vbs
Download:	download sample
File size:	10'374 bytes
First seen:	2024-10-05 19:34:38 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	96:c8LFHzb+U5X4wrqqeH+5YoieyzgJABJ/fxrQsuO3zKA6pT8dmbTij+aUSH:cmFmU5KHJVerJABRu6N1dmnh8H
TLSH	T15422CB8A1D28EDC433CF7A79AE9C558012D0DB2F6FB781A0E04BD4B16F619A875047B3
Magika	vba
Reporter	imperialwool
Tags:	vbs

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Detection(s):

Vbs.Downloader.Fajan-9852006-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=670194e7ebeac9e68050c9c5

Tags:

Powershell Emotet Gumen

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac

Result

Verdict:

MALICIOUS

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1526461

Signature

AI detected suspicious sample

Bypasses PowerShell execution policy

Sigma detected: Cscript/Wscript Uncommon Script Extension Execution

Sigma detected: Powershell download and execute file

Sigma detected: PowerShell DownloadFile

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to download and execute files (via powershell)

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2024-10-05 19:35:05 UTC

File Type:

Text (VBS)

AV detection:

11 of 24 (45.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ps6nmmne4e5rf4kxpmdt2zwa76m2hmovswe6qbsm3j5rubwxz6wa._file

Verdict:

malicious

Label(s):

donutloader

r77_core

Similar samples:

error

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion execution

Link:

https://tria.ge/reports/241005-yandxavfrh/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Malware Config

Dropper Extraction:

http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/stubInf.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample