MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643
SHA3-384 hash: f4664e2efe677cec55e6b30298756b407cee264de6318b13c781f45bb32b636604f648932c2eff0832566d740fb93c19
SHA1 hash: 94208f885255c808d6ff609956ac6b80cb789573
MD5 hash: 10184fe59d8f1d9d1f50d9e373f1c007
humanhash: artist-william-illinois-early
File name:es.hta
Download: download sample
File size:22'114 bytes
First seen:2024-11-22 23:56:49 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:CcxhZ9NREaeBiDepANfCTN8WQ+t6pZRXhQZzWC:NZ9NREae9ANfCTN8WQ+kpZ5hUzZ
TLSH T1D9A2CDFB3B827BDD8E4309747FCA103ECEB1747A3A104A41C98653E4A9BED4919B5C46
Magika vba
Reporter abuse_ch
Tags:hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11077.7686.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67411ae8d0583382434a9319
Tags:
xtreme gumen shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67411a4f04cce3ac5e2f240b/reports/4e4ec567-66eb-4409-8979-05a00a5575dd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561279
Signature
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561279 Sample: es.hta Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 92 pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev 2->92 98 Malicious sample detected (through community Yara rule) 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected UAC Bypass using CMSTP 2->102 104 4 other signatures 2->104 10 msiexec.exe 99 83 2->10         started        13 IDRBackup.exe 2->13         started        16 mshta.exe 1 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 84 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 10->84 dropped 86 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 10->86 dropped 88 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 10->88 dropped 90 6 other malicious files 10->90 dropped 21 IDRBackup.exe 12 10->21         started        25 IDRBackup.exe 1 10->25         started        27 IDRBackup.exe 1 10->27         started        122 Maps a DLL or memory area into another process 13->122 124 Found direct / indirect Syscall (likely to bypass EDR) 13->124 29 cmd.exe 13->29         started        126 Suspicious powershell command line found 16->126 31 powershell.exe 20 18 16->31         started        94 127.0.0.1 unknown unknown 18->94 34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        file6 signatures7 process8 dnsIp9 72 C:\Users\user\AppData\Roaming\...\vclx120.bpl, PE32 21->72 dropped 74 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 21->74 dropped 76 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 21->76 dropped 78 6 other malicious files 21->78 dropped 106 Switches to a custom stack to bypass stack traces 21->106 108 Found direct / indirect Syscall (likely to bypass EDR) 21->108 38 IDRBackup.exe 1 21->38         started        41 IDRBackup.exe 1 25->41         started        43 IDRBackup.exe 1 27->43         started        45 conhost.exe 29->45         started        96 pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev 162.159.140.237, 443, 49730 CLOUDFLARENETUS United States 31->96 47 conhost.exe 31->47         started        49 msiexec.exe 3 31->49         started        51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        file10 signatures11 process12 signatures13 110 Maps a DLL or memory area into another process 38->110 112 Switches to a custom stack to bypass stack traces 38->112 55 cmd.exe 38->55         started        59 cmd.exe 41->59         started        61 cmd.exe 43->61         started        process14 file15 80 C:\Users\user\AppData\Local\Temp\jwhchx, PE32+ 55->80 dropped 82 C:\Users\user\...\comvalidate_ljv3.exe, PE32+ 55->82 dropped 114 Writes to foreign memory regions 55->114 116 Found hidden mapped module (file has been removed from disk) 55->116 118 Maps a DLL or memory area into another process 55->118 120 Switches to a custom stack to bypass stack traces 55->120 63 comvalidate_ljv3.exe 55->63         started        66 conhost.exe 55->66         started        68 conhost.exe 59->68         started        70 conhost.exe 61->70         started        signatures16 process17 signatures18 128 Found direct / indirect Syscall (likely to bypass EDR) 63->128
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 17:54:02 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp35pfbfcfaubscyyjariwdkycfjnche6i5tf2kvgpexzcnzszbq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/241122-3zkfrsylhl/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bf7d7942511/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HTML Application (hta) hta 8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3300068/
  
Delivery method
Distributed via web download

Comments