MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GoToResolve


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71
SHA3-384 hash: 297f6dae6b23d654fbf6a4d37844e565ba64c85d895fc92ecfbec9adca8b384523dd168678891800b39ecc13638d53c3
SHA1 hash: 1146adf262fbb0f497630b77edd5e4f88ebeb4fa
MD5 hash: ac608a926c457868bff0379713cfb58c
humanhash: south-march-grey-green
File name:Adobe_Reader_Access_Document.vbs
Download: download sample
Signature GoToResolve
Create hunting rule
File size:3'378 bytes
First seen:2026-04-15 07:54:19 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:KNx1dmdMsEvDxTP1tre14ma8OEExu793AVYYlrpRsaA064t4+V2:K3eM9c6ma8hQtLRAYt4
TLSH T1E56192CDB203E109CBB3D43580B74C2DB6A56076D6D4E5313EC8CA88CD19324ABED16B
Magika vba
Reporter abuse_ch
Tags:GoToResolve vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61669/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69de3852f68adfe10039b300
Tags:
virus shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive explorer lolbin msiexec powershell taskkill wscript
Link:
https://www.filescan.io/uploads/69df454dd920e19044fc6311/reports/592f2bbb-67c8-4065-abb6-144e74d5107e/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71
Verdict:
Malicious
File Type:
vbs
First seen:
2026-04-03T01:59:00Z UTC
Last seen:
2026-04-17T06:35:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb PDM:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic not-a-virus:HEUR:RemoteAdmin.Win32.GoToResolve.gen
Link:
https://opentip.kaspersky.com/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1898543
Signature
Disable Windows Defender real time protection (registry)
Disables the Smart Screen filter
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Query firmware table information (likely to detect VMs)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Explorer NOUACCHECK Flag
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898543 Sample: Adobe_Reader_Access_Document.vbs Startdate: 15/04/2026 Architecture: WINDOWS Score: 100 38 store9.gofile.io 2->38 40 store3.gofile.io 2->40 42 4 other IPs or domains 2->42 52 Multi AV Scanner detection for submitted file 2->52 54 Sample has a suspicious name (potential lure to open the executable) 2->54 56 Potential malicious VBS script found (suspicious strings) 2->56 58 6 other signatures 2->58 9 wscript.exe 1 2->9         started        12 explorer.exe 52 125 2->12         started        signatures3 process4 dnsIp5 60 VBScript performs obfuscated calls to suspicious functions 9->60 62 Suspicious powershell command line found 9->62 64 Wscript starts Powershell (via cmd or directly) 9->64 70 4 other signatures 9->70 15 wscript.exe 2 9->15         started        46 ax-0003.ax-msedge.net 150.171.27.12, 443, 49693 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->46 66 System process connects to network (likely due to code injection or exploit) 12->66 68 Query firmware table information (likely to detect VMs) 12->68 signatures6 process7 signatures8 72 Uses cmd line tools excessively to alter registry or file data 15->72 74 Injects code into the Windows Explorer (explorer.exe) 15->74 76 WScript reads language and country specific registry keys (likely country aware script) 15->76 18 reg.exe 1 1 15->18         started        21 reg.exe 1 1 15->21         started        23 powershell.exe 14 16 15->23         started        26 3 other processes 15->26 process9 dnsIp10 48 Disables the Smart Screen filter 18->48 28 conhost.exe 18->28         started        50 Disable Windows Defender real time protection (registry) 21->50 30 conhost.exe 21->30         started        44 store9.gofile.io 94.139.32.9, 443, 49694 ENIX-ASFR Belgium 23->44 32 conhost.exe 23->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        signatures11 process12
Score:
41%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71/
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.GoToResolve
Link:
https://tip.neiki.dev/file/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-04-14 12:51:37 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uve4rrjnmi3vmtozjqepzghzz3kquig6exnffw4lqummcycp35yq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
backdoor defense_evasion discovery evasion execution persistence privilege_escalation ransomware rat spyware trojan
Link:
https://tria.ge/reports/260415-js7g6scs4y/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks system information in the registry
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Detects GoToResolve remote administration tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Malware Config
Dropper Extraction:
https://store9.gofile.io/download/direct/cad2b711-6299-4806-9b5a-c439bf6b2e5d/LogMeInResolve_Unattended.msi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a549c8c52d6237564dd94c08fc98f9ced50a20de25da52db8b8518c1604fdf71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:kill_explorer
Create hunting rule
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61669/

Comments