MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df
SHA3-384 hash:	f1997138ca74534a490c3c0dd94bd7d9d61f9ee1bc4b63370ac2b5ac43ee7a4abd232d75b75c2dd82fdabe9f6dc94d25
SHA1 hash:	568ee387e33b793b13c0c84129864f9d47313653
MD5 hash:	15817e3ef9b2077637f2d5eb68c12618
humanhash:	december-kentucky-yellow-happy
File name:	Listas de productos.vbs
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	220'120 bytes
First seen:	2026-04-15 07:54:13 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	6144:6AXJpZTWBoNyxfisCXnzSFlc0bVq+MI4N154WrrBn4f:6mJDTUocxffCXzSFlc0bk+2N154WF4f
Threatray	125 similar samples on MalwareBazaar
TLSH	T13E246B163BF9D908B7F38E8799E6B0AF1A3FFB612D15D60E33840B4D057421095A17AB
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	abuse_ch
Tags:	N-W0rm vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61667/

Detection(s):

Sanesecurity.Malware.27117.HtaHeur.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69df44edf68adfe10039fa42

Tags:

n/a

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/69df45349124ebc08752924d/reports/cab5fe3d-40b1-454a-ba6c-03697c060057/overview

Verdict:

Suspicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df

Verdict:

Malicious

File Type:

vbs

First seen:

2026-04-14T10:30:00Z UTC

Last seen:

2026-04-16T18:32:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic

Link:

https://opentip.kaspersky.com/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1898545

Signature

Bypasses PowerShell execution policy

Creates an undocumented autostart registry key

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

30%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df/

Verdict:

Malicious

Threat:

Trojan.Script

Link:

https://tip.neiki.dev/file/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df

Threat name:

Win32.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-04-15 01:18:33 UTC

File Type:

Text (VBS)

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r66g4eyeswuepep6b7o3f5e6cwfvfix2gid4ldefo23zxzamwhpq._file

Verdict:

malicious

Label(s):

unc_stealer_006

N-W0rm

0563f9e1d0fe8c2cf932f55fb8341ee86c1d1ee7d1be5d99f929db36d92dcf97

N-W0rm

206bc809554c8877ae3ddff321ce2a637a122451a24482eac52d5606680f4488

N-W0rm

3e0429ba1bb7bb27751b7bf7d1f6c9561ffe5dcd41dd9ef7ef6d17f0b0a29b90

N-W0rm

435bceaf240dd7711542a723a6988b280948e77e9953614d981d653680de9f49

N-W0rm

728e75ae848ac62aa705ed4e4c000dd3dfa2a4cf70a5adfbc56c5a9d2b017792

N-W0rm

d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2

N-W0rm

error

N-W0rm

+ 115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution persistence privilege_escalation spyware stealer

Link:

https://tria.ge/reports/260415-js2lxscs4t/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Accesses Microsoft Outlook profiles

Checks installed software on the system

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Registers new Windows logon scripts automatically executed at logon.

Badlisted process makes network request

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8fbc6e130495/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/8fbc6e130495a84791fe0fddb2f49e158b52a2fa3207c58c8576b79be40cb1df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_VBS_Wscript_Shell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/61667/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample