MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a29b298d47a77ebcdd68e8ca81538d15ef1f53f0ef4ee6041603ef68987bc26b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a29b298d47a77ebcdd68e8ca81538d15ef1f53f0ef4ee6041603ef68987bc26b
SHA3-384 hash: 42cd815804d04128b123db7d04d483982969b152370c499b325c969a142fa1f2a125bc46dfaecf44d1ccef407677acd8
SHA1 hash: 794ad8b835a4a572c887b046c1da497e4c6cbbb7
MD5 hash: 860f11d8df164dc4224498db8b2331c9
humanhash: salami-texas-bacon-table
File name:한라산업개발(2022.02.07).pdf.vbs
Download: download sample
File size:2'726 bytes
First seen:2022-02-07 08:08:37 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:F2IaVNVQXk7Y5JWMPIja7NmbI4kA5iOP/0/hE8OrnNjiudKQ+LL7MbS:sIavVkJPPx7NmM4kAgGqhbKNuu0DLLgO
Threatray 62 similar samples on MalwareBazaar
TLSH T17651545E396BF564A95A2D62EC8F486E45F4515A303AC090BA0C8ED00F3C07C5B89DDF
Reporter abuse_ch
Tags:vbs


Avatar
abuse_ch
Payload URLs:
http://amilaobodo.giize.com/obodo/5bab0b1d864615bab0b1d864b3/atx.jpg
http://amilaobodo.giize.com/obodo/5bab0b1d864615bab0b1d864b3/glx1.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234117/
Detection(s):
SecuriteInfo.com.BehavesLike.VBS.Dropper.xp.13295.11031.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/934948
Signature
Command shell drops VBS files
DLL side loading technique detected
Injects a PE file into a foreign processes
Powershell drops PE file
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567427 Sample: #Ud55c#Ub77c#Uc0b0#Uc5c5#Ua... Startdate: 07/02/2022 Architecture: WINDOWS Score: 88 90 github.com 2->90 92 avatars.githubusercontent.com 2->92 114 Yara detected Costura Assembly Loader 2->114 10 wscript.exe 14 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 13 2->16         started        signatures3 process4 dnsIp5 110 amilaobodo.giize.com 103.89.91.29, 49716, 49756, 49757 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->110 126 System process connects to network (likely due to code injection or exploit) 10->126 128 Wscript starts Powershell (via cmd or directly) 10->128 130 Very long command line found 10->130 132 2 other signatures 10->132 18 powershell.exe 14 20 10->18         started        22 cmd.exe 3 10->22         started        112 192.168.2.1 unknown unknown 14->112 25 powershell.exe 14->25         started        27 cmd.exe 14->27         started        29 powershell.exe 16->29         started        31 cmd.exe 16->31         started        signatures6 process7 dnsIp8 94 amilaobodo.giize.com 18->94 116 Powershell drops PE file 18->116 33 control.exe 18->33         started        49 3 other processes 18->49 78 #Ud55c#Ub77c#Uc0b0...2022.02.07).pdf.vbs, ASCII 22->78 dropped 118 Command shell drops VBS files 22->118 35 conhost.exe 22->35         started        96 amilaobodo.giize.com 25->96 80 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 25->80 dropped 82 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 25->82 dropped 120 Writes to foreign memory regions 25->120 122 DLL side loading technique detected 25->122 124 Injects a PE file into a foreign processes 25->124 37 control.exe 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        98 amilaobodo.giize.com 29->98 43 control.exe 29->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        file9 signatures10 process11 process12 51 chrome.exe 33->51         started        53 chrome.exe 33->53         started        55 chrome.exe 37->55         started        59 chrome.exe 37->59         started        61 chrome.exe 43->61         started        63 chrome.exe 43->63         started        dnsIp13 65 chrome.exe 51->65         started        67 chrome.exe 53->67         started        106 192.168.2.5, 443, 49675, 49683 unknown unknown 55->106 108 239.255.255.250 unknown Reserved 55->108 84 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 55->84 dropped 86 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 55->86 dropped 88 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 55->88 dropped 69 chrome.exe 55->69         started        72 chrome.exe 59->72         started        74 chrome.exe 61->74         started        76 chrome.exe 63->76         started        file14 process15 dnsIp16 100 accounts.google.com 142.250.203.109, 443, 49781 GOOGLEUS United States 69->100 102 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49926 GOOGLEUS United States 69->102 104 10 other IPs or domains 69->104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a29b298d47a77ebcdd68e8ca81538d15ef1f53f0ef4ee6041603ef68987bc26b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uknstdkhu57lzxli5dficu4ncxxr6u7q55hombawapxwrgd3yjvq._file
Verdict:
malicious
Similar samples:
07451b0c3aaa3d6dcb79a4ece6b59a5176226f234527ca810c8c50469a54d070
4462d72d344373067a4a0556c1ef87e3fb07d8b1de7a5baa4580c3ed2b4d37c4
471a0e2f7a88d32c60810cef11d4668aca3961de8c7080291e1d8d7b02d69a2b
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
7b7ffdabadd1e1ea05600f00d17abf7032e65873bc833a50555b7cd8b26c8a17
a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9
b1c5e602c1646d6f3d05c37e301c7b808b21e3128fea2687821b1348f41a892d
b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-j15zbahfbr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a29b298d47a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/amilaobodo.giize.com/
Cape
Cape
https://www.capesandbox.com/analysis/234117/

Comments