MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30
SHA3-384 hash: 98fd2aaf55191817af0f93f8c5061a85a8ac37c2abfabc3616fa995ab4537fbaacfb21b329a59f433d735cbc4e764bf7
SHA1 hash: 5969005e2cc523ddd9a32e83da638a2e44864213
MD5 hash: fabb208cba64b9f0b026ab06e5d9682b
humanhash: nine-cardinal-sweet-georgia
File name:81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30.vbs
Download: download sample
File size:14'885 bytes
First seen:2023-03-09 19:35:29 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:Jz0D5peNEYDEZjJ2QR41ajrcpE4rocCMhidGpPGmX0jWby:JgDreSKQJHcpE4roPM8iGmX0jWu
Threatray 932 similar samples on MalwareBazaar
TLSH T1EB622B4A7C9239C4067366F3954F48B9D62A28F718618CB93D4CF5B04F30B9A7C5C59B
Reporter xme
Tags:sansisc vbs VBScript

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
BE BE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373122/
Detection(s):
Sanesecurity.Malware.28845.BadVBS.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe
Link:
https://www.filescan.io/uploads/640a3524ecb98d1010641ff7/reports/7e34e1fe-ab38-49cd-961e-5686cf3c6acc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1190703
Signature
Encrypted powershell cmdline option found
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823585 Sample: IWekMe516D.vbs Startdate: 09/03/2023 Architecture: WINDOWS Score: 84 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Dot net compiler compiles file from suspicious location 2->63 65 Very long command line found 2->65 67 Performs DNS queries to domains with low reputation 2->67 8 wscript.exe 2->8         started        11 cmd.exe 1 2->11         started        13 GoogleUpdateBroker.exe 2->13         started        process3 signatures4 69 VBScript performs obfuscated calls to suspicious functions 8->69 71 Wscript starts Powershell (via cmd or directly) 8->71 15 cmd.exe 1 8->15         started        73 Suspicious powershell command line found 11->73 75 Very long command line found 11->75 77 Encrypted powershell cmdline option found 11->77 18 powershell.exe 15 34 11->18         started        22 conhost.exe 11->22         started        process5 dnsIp6 81 Suspicious powershell command line found 15->81 83 Wscript starts Powershell (via cmd or directly) 15->83 85 Very long command line found 15->85 87 Encrypted powershell cmdline option found 15->87 24 powershell.exe 47 15->24         started        27 conhost.exe 15->27         started        46 rtowatchship.xyz 172.64.202.38, 443, 49697, 49698 CLOUDFLARENETUS United States 18->46 44 C:\Users\user\AppData\...\tgfsx1yp.cmdline, Unicode 18->44 dropped 29 chrome.exe 15 1 18->29         started        32 csc.exe 3 18->32         started        35 taskkill.exe 1 18->35         started        file7 signatures8 process9 dnsIp10 79 Performs DNS queries to domains with low reputation 24->79 55 192.168.2.1 unknown unknown 29->55 57 239.255.255.250 unknown Reserved 29->57 37 chrome.exe 29->37         started        42 C:\Users\user\AppData\Local\...\tgfsx1yp.dll, PE32 32->42 dropped 40 cvtres.exe 1 32->40         started        file11 signatures12 process13 dnsIp14 48 com.otspeakwhens.com 37->48 51 pogothere.xyz 172.64.132.29, 443, 49708 CLOUDFLARENETUS United States 37->51 53 10 other IPs or domains 37->53 signatures15 59 Performs DNS queries to domains with low reputation 48->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-09 06:24:56 UTC
File Type:
Text (VBS)
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhsosg4kqqjrdmulikkr2u7mntshcituqdfjpsi4fkq65wtnvuya._file
Verdict:
unknown
Similar samples:
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
12de04133def8f1652bbf2aaac8454d76141f5115e9e6d9131dcb2ffbdbee66e
2e085282467ab80f8064d2557f4afea9a82ba68e52ccd6f6f4c75e0f81dd0b30
5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
6000a66320ec04d7738f80e43085649f1c47bd12a2852e825e71876ec4567c07
6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e
7c5f6eb2a7eafa8c6891486bb1af755cc64e087c67945ab51bada4f4fcaea2ed
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
+ 922 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230309-ya8d3sbe61/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:detect_bitcoin
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373122/

Comments