MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f
SHA3-384 hash: 1a6aa92f7825d11265818cef36990c376be98cefdee267e9e64a44be924e3237de0d7f927530982c78a8f7c1ce83ecb8
SHA1 hash: e7397fcb622c15f6c3d7b0d6636ab2c5f3849420
MD5 hash: b4d6e360106a621bf3100d3e6284d0ac
humanhash: jersey-early-ink-blossom
File name:PENDING ORDER ON TAS.vbs
Download: download sample
Signature BlackShades
Create hunting rule
File size:9'630'496 bytes
First seen:2025-04-06 05:29:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5VpV5Vpj:6QCO5Z
TLSH T1FAA6EE4177FA12A27AF30F0A457D356A5A3E3E060EBBC26D682244995E77D84CCB0773
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter abuse_ch
Tags:BlackShades vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/818/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f211a3e011fe619fab7409
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade powershell
Link:
https://www.filescan.io/uploads/67f21179eb7eb0aee041b858/reports/46c5aba3-cd63-4ec1-abee-b4dade31f5c3/overview
Verdict:
Malicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f
Result
Threat name:
Blackshades
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1657578
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Blackshades RAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1657578 Sample: PENDING ORDER ON TAS.vbs Startdate: 06/04/2025 Architecture: WINDOWS Score: 100 88 pastebin.com 2->88 90 paste.ee 2->90 92 10 other IPs or domains 2->92 106 Suricata IDS alerts for network traffic 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Yara detected AntiVM3 2->110 114 17 other signatures 2->114 11 wscript.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 3 other processes 2->18 signatures3 112 Connects to a pastebin service (likely for C&C) 90->112 process4 signatures5 134 Suspicious powershell command line found 11->134 136 Wscript starts Powershell (via cmd or directly) 11->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 11->138 142 2 other signatures 11->142 20 powershell.exe 7 11->20         started        23 schtasks.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 wscript.exe 14->27         started        29 conhost.exe 14->29         started        31 wscript.exe 16->31         started        33 conhost.exe 16->33         started        140 Wscript called in batch mode (surpress errors) 18->140 35 conhost.exe 18->35         started        37 3 other processes 18->37 process6 signatures7 116 Suspicious powershell command line found 20->116 118 Encrypted powershell cmdline option found 20->118 120 Bypasses PowerShell execution policy 20->120 124 2 other signatures 20->124 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        46 conhost.exe 23->46         started        48 conhost.exe 25->48         started        122 Wscript starts Powershell (via cmd or directly) 27->122 50 powershell.exe 27->50         started        52 powershell.exe 31->52         started        process8 dnsIp9 98 paste.ee 23.186.113.60, 443, 49690, 49693 KLAYER-GLOBALNL Reserved 39->98 100 pastebin.com 104.22.68.199, 443, 49688, 49691 CLOUDFLARENETUS United States 39->100 86 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 39->86 dropped 130 Potential dropper URLs found in powershell memory 39->130 54 powershell.exe 15 39->54         started        132 Wscript called in batch mode (surpress errors) 50->132 58 conhost.exe 50->58         started        60 wscript.exe 50->60         started        62 conhost.exe 52->62         started        64 wscript.exe 52->64         started        file10 signatures11 process12 file13 80 __________________...________-------.lnk, MS 54->80 dropped 82 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 54->82 dropped 126 Writes to foreign memory regions 54->126 128 Injects a PE file into a foreign processes 54->128 66 powershell.exe 23 54->66         started        69 MSBuild.exe 16 5 54->69         started        73 powershell.exe 11 54->73         started        75 powershell.exe 54->75         started        signatures14 process15 dnsIp16 102 Loading BitLocker PowerShell Module 66->102 77 powershell.exe 1 9 66->77         started        94 greataggy2.linkpc.net 105.112.193.97, 1009 VNL1-ASNG Nigeria 69->94 96 freegeoip.net 15.197.148.33, 49700, 80 TANDEMUS United States 69->96 84 C:\Users\user\AppData\Roaming\...\server.exe, PE32 69->84 dropped 104 Creates multiple autostart registry keys 69->104 file17 signatures18 process19 signatures20 144 Creates autostart registry keys with suspicious values (likely registry only malware) 77->144 146 Creates autostart registry keys with suspicious names 77->146 148 Creates multiple autostart registry keys 77->148
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-06 01:10:00 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsxc5n4s67led75gwd5zf2ef3ojvgb52bw5abl7bco3yvha5ez7q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/250406-f7eh6avnv7/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://pastebin.com/raw/pzXGkayU
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acae2eb792f7d641ffa6b0fb92e885db935307ba0dba00afe113b78a9c1d267f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/818/

Comments