MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4
SHA3-384 hash: 466d9570f608aaae3a90e6454e00f10997df3bed2de1bb41c9021b661fc651297761c85d9a2a857c34ee51a9d07347b5
SHA1 hash: c9c39d4af0d046f50f70a707bca9755719bebe1d
MD5 hash: 38ca9a71dacbecad96ea643bd48338b7
humanhash: tennessee-aspen-red-cup
File name:9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4.vbs
Download: download sample
File size:765'798 bytes
First seen:2026-01-16 18:43:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:5+KBdvqBdKqBdzxBs+BqwBzwB+BwwBzxqBzxBxdBzKqBwBsdBdzzBwsBddBzqBqQ:M
TLSH T1AAF4903D417FEC887303F419537972B88E51B57ABEE938CB51A1CD26D81BACEC895890
Magika vba
Reporter johnk3r
Tags:007consultoriafinanceira-net banker docsmoonstudioclayworks-site Downloader Ghost vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49121/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a369457243ef151cd90ce
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt evasive lolbin msiexec obfuscated powershell
Link:
https://www.filescan.io/uploads/696a86cefdafd7624aaf3e87/reports/95ecf3a0-c17c-459f-8c20-9295f76c781f/overview
Verdict:
Malicious
Labled as:
TR/SNH
Link:
https://www.hybrid-analysis.com/sample/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-16T10:08:00Z UTC
Last seen:
2026-01-17T12:48:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Sneaky.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4/results?tab=lookup
Result
Threat name:
Brazilian Banker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1852254
Signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Brazilian Banker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1852254 Sample: SouLoE0mcm.vbs Startdate: 16/01/2026 Architecture: WINDOWS Score: 100 42 docsmoonstudioclayworks.site 2->42 44 api.ipify.org 2->44 46 007consultoriafinanceira.net 2->46 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Brazilian Banker 2->58 60 3 other signatures 2->60 7 wscript.exe 1 8 2->7         started        12 msiexec.exe 89 43 2->12         started        14 kernel_win64.exe 2->14         started        16 kernel_win64.exe 2->16         started        signatures3 process4 dnsIp5 52 docsmoonstudioclayworks.site 83.229.17.71, 443, 49715 SKYVISIONGB United Kingdom 7->52 26 C:\ProgramData\...\installer_47844.msi, Composite 7->26 dropped 28 C:\ProgramData\WindowsDiru\installer2.zip, Zip 7->28 dropped 30 C:\ProgramData\WindowsDiru\installer2.msi, Composite 7->30 dropped 32 C:\ProgramData\WindowsDiru\install_log.txt, ISO-8859 7->32 dropped 64 System process connects to network (likely due to code injection or exploit) 7->64 66 VBScript performs obfuscated calls to suspicious functions 7->66 68 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->68 18 msiexec.exe 7->18         started        20 msiexec.exe 7->20         started        34 C:\tadeu\...\kernel_win64.exe, PE32 12->34 dropped 36 C:\tadeu\...\libGLES_base_legacy.log, Unicode 12->36 dropped 38 C:\tadeu\...\ssleay32.dll, PE32 12->38 dropped 40 2 other files (none is malicious) 12->40 dropped 22 kernel_win64.exe 2 2 12->22         started        file6 signatures7 process8 dnsIp9 48 007consultoriafinanceira.net 83.229.17.124, 443, 49723 SKYVISIONGB United Kingdom 22->48 50 api.ipify.org 104.26.12.205, 443, 49722 CLOUDFLARENETUS United States 22->50 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 signatures10
Score:
79%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4/
Verdict:
Malicious
Threat:
Trojan-Downloader.Script
Link:
https://tip.neiki.dev/file/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-16 13:01:12 UTC
File Type:
Text (VBS)
AV detection:
3 of 36 (8.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsqgns6ubmgjtuifsrt5mfib5fmqbtr7wdhbs5zwasg4lucwa3ka._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/260116-xc64csdx3b/
Behaviour
Checks processor information in registry
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Visual Basic Script (vbs) vbs 9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4

(this sample)

Microsoft Software Installer (MSI) msi 2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21

zip 614ba1acb334bf24a690ec2b75bd749baa05095cf2faf86a93d49ce69fad57bd

  
Dropping
SHA256 614ba1acb334bf24a690ec2b75bd749baa05095cf2faf86a93d49ce69fad57bd
Cape
Cape
https://www.capesandbox.com/analysis/49121/
  
Dropping
MD5 620f2d3525d119276acef8b8deba4422

Comments