MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f
SHA3-384 hash: db344d62721bf3de289d6df78dab5358271748cbca3f59a3d400fb0c1b63f18654688d4b9e61438ab16cf1260d580a7b
SHA1 hash: d3368caccf096fe27b5c2b77e867e465f7d248d2
MD5 hash: cb6983e1dbaaf2391c9b4ea582e2b8c1
humanhash: cup-nine-gee-eight
File name:Fattura10.18.23.vbs
Download: download sample
File size:12'638'470 bytes
First seen:2023-10-19 07:29:02 UTC
Last seen:2023-10-19 12:37:06 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:IhphphphphphphphphphphphphphphphphphphphphphphphphphphphphphphpW:PIMkUkUMt63Xe3cjCgvIMkUkUt
Threatray 22 similar samples on MalwareBazaar
TLSH T153D603E70B50EB4913718C5F740A3A5768BEAAAB0D7AC2B31D433135EB5CC7A6054BD0
Reporter Mangusta
Tags:spm23-casacam-net studioaziende-click vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6530dafcafc17c7912f8aa52/reports/7c00f29f-2cce-4d49-b779-0f7ba2c1675e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328550
Signature
Antivirus detection for URL or domain
Contains functionalty to change the wallpaper
Contains VNC / remote desktop functionality (version string found)
Downloads suspicious files via Chrome
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Powershell drops PE file
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328550 Sample: Fattura10.18.23.vbs Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 143 studioaziende.click 2->143 145 spm23.casacam.net 2->145 163 Antivirus detection for URL or domain 2->163 165 Yara detected Powershell download and execute 2->165 167 Downloads suspicious files via Chrome 2->167 15 wscript.exe 1 2->15         started        18 cmd.exe 2->18         started        signatures3 process4 signatures5 189 Suspicious powershell command line found 15->189 191 Wscript starts Powershell (via cmd or directly) 15->191 193 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->193 20 powershell.exe 7 15->20         started        23 viewer.exe 18->23         started        25 conhost.exe 18->25         started        27 WMIC.exe 18->27         started        29 findstr.exe 18->29         started        process6 signatures7 169 Suspicious powershell command line found 20->169 171 Powershell drops PE file 20->171 31 powershell.exe 29 20->31         started        33 conhost.exe 20->33         started        35 cmd.exe 23->35         started        process8 process9 37 lady.exe 18 31->37         started        40 powershell.exe 14 16 31->40         started        43 powershell.exe 16 31->43         started        45 svchost.exe 31->45         started        47 cmd.exe 35->47         started        50 cmd.exe 35->50         started        52 conhost.exe 35->52         started        54 4 other processes 35->54 dnsIp10 117 C:\Users\user\AppData\Local\...\vncviewer.jpg, PE32 37->117 dropped 119 C:\Users\user\AppData\Local\...\vnchooks.jpg, PE32 37->119 dropped 121 C:\Users\user\AppData\Local\Temp\viewer.jpg, PE32 37->121 dropped 125 3 other files (none is malicious) 37->125 dropped 56 cmd.exe 21 37->56         started        155 studioaziende.click 104.21.85.155, 443, 49713, 49714 CLOUDFLARENETUS United States 40->155 123 C:\Users\user\AppData\Local\Temp\lady.exe, PE32 43->123 dropped 157 127.0.0.1 unknown unknown 45->157 195 Uses cmd line tools excessively to alter registry or file data 47->195 60 reg.exe 47->60         started        62 mode.com 50->62         started        64 netsh.exe 50->64         started        66 netsh.exe 50->66         started        68 2 other processes 50->68 file11 signatures12 process13 file14 127 C:behaviorgraphames\taskhost.exe, PE32 56->127 dropped 129 C:behaviorgraphames\vncviewer.exe, PE32 56->129 dropped 131 C:behaviorgraphames\vnchooks.dll, PE32 56->131 dropped 133 3 other files (none is malicious) 56->133 dropped 179 Uses cmd line tools excessively to alter registry or file data 56->179 181 Uses netsh to modify the Windows network and firewall settings 56->181 183 Modifies the windows firewall 56->183 70 viewer.exe 56->70         started        72 msedge.exe 56->72         started        76 cmd.exe 56->76         started        79 11 other processes 56->79 signatures15 process16 dnsIp17 81 cmd.exe 70->81         started        159 192.168.2.5, 443, 49704, 49705 unknown unknown 72->159 161 239.255.255.250 unknown Reserved 72->161 135 C:\Users\user\AppData\...\content_new.js, Unicode 72->135 dropped 137 C:\Users\user\AppData\Local\...\content.js, Unicode 72->137 dropped 139 C:\Users\user\...\page_embed_script.js, ASCII 72->139 dropped 141 C:\Users\user\...\eventpage_bin_prod.js, ASCII 72->141 dropped 83 msedge.exe 72->83         started        86 msedge.exe 72->86         started        88 msedge.exe 72->88         started        185 Uses cmd line tools excessively to alter registry or file data 76->185 90 reg.exe 76->90         started        file18 signatures19 process20 dnsIp21 92 cmd.exe 81->92         started        94 cmd.exe 81->94         started        97 viewer.exe 81->97         started        99 5 other processes 81->99 147 part-0041.t-0009.t-msedge.net 13.107.213.69, 443, 49743, 49747 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 83->147 149 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96, 443, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 83->149 151 12 other IPs or domains 83->151 process22 signatures23 101 taskhost.exe 92->101         started        105 mode.com 92->105         started        107 netsh.exe 92->107         started        113 3 other processes 92->113 187 Uses cmd line tools excessively to alter registry or file data 94->187 109 reg.exe 94->109         started        111 cmd.exe 97->111         started        process24 dnsIp25 153 spm23.casacam.net 45.90.222.54, 49765, 5500 MAJESTIC-HOSTING-01US Germany 101->153 173 Multi AV Scanner detection for dropped file 101->173 175 Contains functionalty to change the wallpaper 101->175 177 Contains VNC / remote desktop functionality (version string found) 101->177 115 conhost.exe 111->115         started        signatures26 process27
Score:
19%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qw67neo5x3v7tii7vjsc7r3woudqcredu7kd5xqzibv74rvys2pq._file
Verdict:
malicious
Similar samples:
0a26a8670ec52d242cad7ac818bae83d38f4e15309334964249886e882192548
266577e98456a68a31d7af6846f4a2736df148fdc89498c378ff5b1c8c72f9b7
28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12
556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08
bec49d96f0b6db2ba056eb7402bcbd812296545ee6524761ea4c3bb16f5e0c47
d658f722760324a9e866c6aff9b739ee59976c60a96b1ed3bc3d4048f8491b24
df2853a1bc08e8f9ee97a33a001e84597e85d5834c540d846dce4d4f8183bddd
ef1f9cd3dcf5046fa45acfb0b027952a440ce6634c04b35b63e38d51bac65649
f70b2a865bd89d510130072aa8036d8a4d19afda516a4b8124a14d833aa8f006
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/231019-ja96caga96/
Behaviour
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85bdf691ddbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments