MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Grandoreiro


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f
SHA3-384 hash: 96efaade43b47192395feb948cd5d604f3bb6d9f9c7bf48cdac2758adac285fc0948f6368aab7664c2b0f31061ca6e67
SHA1 hash: 864cd480834007a3ec9bb4d36851030bc9317c34
MD5 hash: ee585baf8691b05445c29031468a4f89
humanhash: quebec-crazy-sweet-mango
File name:❉processo❉_⑤②⑧⑥③④⑧②.hta
Download: download sample
Signature Grandoreiro
Create hunting rule
File size:141 bytes
First seen:2024-11-01 15:55:53 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3:qVoB3tObvYKGBQWgPIucJqPWKTSBDcEWHLGXIMBWhtoAcMBcacWWGb:q43tEvGaWbTEpSBAEWrVMch0MWXfGb
TLSH T1F6C02BBB2D040C2900B0A4B458D4D87400C3388057E38A13C0AA40F33E0035C1CC38CB
Magika html
Reporter NDA0E
Tags:geo Grandoreiro hta MEX PRT

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HTML.Script-inf.18805.15532.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724fa1549e92a05dde2457c
Tags:
powershell autorun emotet
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f/results/dashboard
Payload URLs
URL
File name
https://processoeconsulta.online/6724f91d7b3cb/js/6724f91d7b351.js
HTA File
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1546870
Signature
AI detected suspicious sample
Excessive usage of taskkill to terminate processes
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546870 Sample: #U2749processo#U2749_#U2464... Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 81 processoeconsulta.online 2->81 83 worldtimeapi.org 2->83 85 wnn565d215c.servegame.com 2->85 101 Multi AV Scanner detection for dropped file 2->101 103 Sigma detected: Suspicious MSHTA Child Process 2->103 105 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->105 107 6 other signatures 2->107 11 mshta.exe 15 2->11         started        signatures3 process4 dnsIp5 93 processoeconsulta.online 198.54.116.219, 443, 49730, 49731 NAMECHEAP-NETUS United States 11->93 79 C:\Users\user\...\6724f91d7b548[1].vbs, ASCII 11->79 dropped 15 cmd.exe 3 2 11->15         started        17 cmd.exe 1 11->17         started        20 cmd.exe 11->20         started        file6 process7 signatures8 22 wscript.exe 2 23 15->22         started        27 conhost.exe 15->27         started        95 Uses ping.exe to check the status of other devices and networks 17->95 97 Uses netsh to modify the Windows network and firewall settings 17->97 99 Uses ipconfig to lookup or modify the Windows network settings 17->99 29 curl.exe 2 17->29         started        31 conhost.exe 17->31         started        33 conhost.exe 20->33         started        35 wscript.exe 20->35         started        process9 dnsIp10 89 64.94.85.196, 49739, 80 CONCENTUSNETUS United States 22->89 71 C:\_6724f91d7b3cb\unrar.dll, PE32 22->71 dropped 73 C:\_6724f91d7b3cb\CSRPS.exe, PE32 22->73 dropped 75 C:\_6724f91d7b3cb\7zxa.dll, PE32 22->75 dropped 115 System process connects to network (likely due to code injection or exploit) 22->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->117 37 CSRPS.exe 1 7 22->37         started        91 127.0.0.1 unknown unknown 29->91 77 C:\Users\Public\6724f91d7b54a.vbs, ASCII 29->77 dropped 119 Potential malicious VBS script found (has network functionality) 29->119 file11 signatures12 process13 dnsIp14 87 worldtimeapi.org 213.188.196.246 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO Italy 37->87 69 C:\Users\user\AppData\Local\Temp\hcx.dll, PE32 37->69 dropped 109 Overwrites code with function prologues 37->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 37->111 113 Modifies the windows firewall 37->113 42 cmd.exe 37->42         started        45 cmd.exe 37->45         started        47 cmd.exe 37->47         started        49 13 other processes 37->49 file15 signatures16 process17 signatures18 121 Excessive usage of taskkill to terminate processes 42->121 61 5 other processes 42->61 51 conhost.exe 45->51         started        53 taskkill.exe 45->53         started        63 2 other processes 45->63 65 4 other processes 47->65 55 conhost.exe 49->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        67 29 other processes 49->67 process19
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=raw7re34p6z4x7kxnjotgxpufj4ieheoe2y5b6eoj5f2yrvlazhq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/241101-tvfscatqaq/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
System Location Discovery: System Language Discovery
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments