MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aca2123846da6433d7eeb8740c88d8ed0e109953816588219d6ace3969a5461f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aca2123846da6433d7eeb8740c88d8ed0e109953816588219d6ace3969a5461f
SHA3-384 hash: 6ba22e844b171b914e1612bc44d52fa3f4766d69f60fc410765b0981e6b2f2fa05e31d261596e613eba22a5d10371e2d
SHA1 hash: c852880a225464352c335f2d76573dbc6d882c97
MD5 hash: 5e2cfdb9727a06baf23c416beaf28c90
humanhash: violet-fillet-network-muppet
File name:PRODUCT INQUIRY.vbs
Download: download sample
File size:1'093'067 bytes
First seen:2023-02-27 16:23:28 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:I2ULQER8bgq4o34yjpAB0G/FGJrAiTrBNKeiE:Bb534yjpg0G9PyNjB
Threatray 305 similar samples on MalwareBazaar
TLSH T118357C70EA2A16194D5F1B9AFC828C4685BDC42D4627013DFD9E638E260769CC3FEB1D
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370330/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
cerberus
Link:
https://www.filescan.io/uploads/63fcd92a0796d7d621e8f919/reports/105195ff-5549-4cfd-81e9-200a2f88960d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/aca2123846da6433d7eeb8740c88d8ed0e109953816588219d6ace3969a5461f
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1183488
Signature
Installs a global keyboard hook
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11802 Sample: PRODUCT INQUIRY.vbs Startdate: 27/02/2023 Architecture: WINDOWS Score: 84 31 mail.sigmanal.com 2->31 33 sigmanal.com 2->33 35 6 other IPs or domains 2->35 43 May check the online IP address of the machine 2->43 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 45 Wscript starts Powershell (via cmd or directly) 9->45 47 Obfuscated command line found 9->47 49 Very long command line found 9->49 51 Uses ipconfig to lookup or modify the Windows network settings 9->51 12 powershell.exe 7 9->12         started        15 ipconfig.exe 1 9->15         started        17 cmd.exe 1 9->17         started        process6 signatures7 53 Very long command line found 12->53 19 powershell.exe 12->19         started        21 conhost.exe 12->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process8 process9 27 CasPol.exe 14 22 19->27         started        dnsIp10 37 api4.ipify.org 173.231.16.76, 443, 49814 WEBNXUS United States 27->37 39 sigmanal.com 173.237.185.121, 49816, 587 INTELLECTICA-US United States 27->39 41 2 other IPs or domains 27->41 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->55 57 Tries to steal Mail credentials (via file / registry access) 27->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->59 61 3 other signatures 27->61 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aca2123846da6433d7eeb8740c88d8ed0e109953816588219d6ace3969a5461f/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 09:19:30 UTC
File Type:
Text
AV detection:
7 of 25 (28.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsrbeocg3jsdhv7oxb2azcgy5uhbbgktqfsyqim5nlhds2nfiypq._file
Verdict:
unknown
Similar samples:
067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
13d8b891a0f9c00af8c624a5bfd24f42d15fba3e19225d29b9af39cd9f8cea03
796f40fe64dfbe836ee4b4fa8b1481c9aadef5185ccd6bb36128566eab071eea
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
ebfeb911e279133f37c9581a0b1c01044ec56ff471250b336327f2724a949865
f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4
+ 295 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230227-twdpdaee63/
Behaviour
Gathers network information
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://drive.google.com/uc?export=download&id=1urrBdHv5vV7gloXTn4Fw8D9kCY9wOoRA
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aca2123846da6433d7eeb8740c88d8ed0e109953816588219d6ace3969a5461f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370330/

Comments