MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bc11a08f96c9b97238ffe8671c801817fe7844e280f479a7b7ce880ec197ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bc11a08f96c9b97238ffe8671c801817fe7844e280f479a7b7ce880ec197ed8
SHA3-384 hash: e94a08ae27b12aa719523e497f6ddd34e9379387142abf0248741bbe3dbb36804cb310a9f839eea489b04a883d4eb2bd
SHA1 hash: de6e2711a12a1c86e6755f6756f6d7ba980c4005
MD5 hash: a24308eb76c58d64f5bba6520777d4c5
humanhash: speaker-victor-oscar-eighteen
File name:JZ74.vbs
Download: download sample
File size:4'924 bytes
First seen:2021-05-06 14:11:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:P707U727LxZK71r7uY7Q7g7t7s717+7i7+7/72767272727X727L7272727g727U:P707U727Fo71r7x7Q7g7t7s717+7i7+l
Threatray 192 similar samples on MalwareBazaar
TLSH 78A130CE4B49AC6E40055F2AFC31C35D69A6D0960DBA928AFE07E8447B9F400C3D9F17
Reporter cbecks2

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151677/
Detection(s):
SecuriteInfo.com.Trojan.VBS.SAgent.gen.11970.25639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/716405
Signature
.NET source code references suspicious native API functions
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and load assembly
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 407148 Sample: JZ74.vbs Startdate: 07/05/2021 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 7 wscript.exe 8 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 34 C:\Users\user\AppData\Roaming\...\Chrome.vbs, ASCII 7->34 dropped 54 VBScript performs obfuscated calls to suspicious functions 7->54 56 Wscript starts Powershell (via cmd or directly) 7->56 58 Potential evasive VBS script found (sleep loop) 7->58 60 2 other signatures 7->60 13 powershell.exe 14 16 7->13         started        18 powershell.exe 12 11->18         started        signatures5 process6 dnsIp7 42 ia601502.us.archive.org 207.241.227.112, 443, 49729 INTERNET-ARCHIVEUS United States 13->42 36 C:\Users\Public\Documents\Oneman.htm, PE32 13->36 dropped 62 Writes to foreign memory regions 13->62 64 Injects a PE file into a foreign processes 13->64 66 Powershell drops PE file 13->66 20 jsc.exe 15 2 13->20         started        24 conhost.exe 13->24         started        68 Sample uses process hollowing technique 18->68 26 jsc.exe 3 18->26         started        28 conhost.exe 18->28         started        30 jsc.exe 18->30         started        32 2 other processes 18->32 file8 signatures9 process10 dnsIp11 38 ipwhois.app 136.243.172.101, 443, 49740 HETZNER-ASDE Germany 20->38 40 hostmeisgood.publicvm.com 54.91.196.22, 310, 49743 AMAZON-AESUS United States 20->40 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bc11a08f96c9b97238ffe8671c801817fe7844e280f479a7b7ce880ec197ed8/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 14:12:17 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
51ad568171d6a835bc1edd45cfe1fee659085dfc4522ac3d93c1458688d44bd5
7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d
810bbf258484b94bf2e51c7fba2f8a19f6aaf1137c982d2d6a97e600159c16fa
904a518a8c867a1fd79e963fcdd317aa9f5a76eb6964b027cb0566d4a87102d7
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
aee8596ddc3927e7c89221f7153735aacb6f5ebfd7baa843d12a62c6dd48c3eb
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
b7f09be3bf95632ac3219b3d402a419e9bc40a54a3fc6ac1c57c183798e525fe
ee1b2c9bdba344c7fe2dc2bec7544a038ad64dbed6add636ecdd426079296c28
+ 182 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-sc5t6gydv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bc11a08f96c9b97238ffe8671c801817fe7844e280f479a7b7ce880ec197ed8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151677/

Comments