MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc4096fc2241907a747764d2f4407823d5ca9a8367f5ce07610a3b070b18e2b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PoisonIvy


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc4096fc2241907a747764d2f4407823d5ca9a8367f5ce07610a3b070b18e2b4
SHA3-384 hash: ff18e81ca3de466db650ab9f88a95178eb1d8e1d7b2e48974a8e6ac2bc821f459c0fa449f27637dd57af9042f6cefde9
SHA1 hash: 78df4fc1f1533a01d4063c8ca228477c3c91981d
MD5 hash: d0ab907a6fab827da71bcfc524c03eb1
humanhash: carbon-harry-high-batman
File name:PDF_Reserva.vbs
Download: download sample
Signature PoisonIvy
Create hunting rule
File size:116'436 bytes
First seen:2023-02-24 13:38:26 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:YDHeBQxnnnnnN5nnnnnnnnnnq4nnnnnnnnnnnnnnnnnnnnnn0vxNj53e:+yNj5O
Threatray 94 similar samples on MalwareBazaar
TLSH T1ADB3EF426BEA1108B5F3AB445A7A55644F2BBCDA6D7DD50E01CC6A4D0BF3E80CC60BB7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:PoisonIvy vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PoisonIvy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369471/
Verdict:
Unknown
Threat level:
  0/10
Confidence:
50%
Link:
https://www.filescan.io/uploads/63f8bdf90796d7d621e86870/reports/c8d54f70-584c-4e00-b5af-055b5fe3b41f/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Donoff
Link:
https://www.hybrid-analysis.com/sample/bc4096fc2241907a747764d2f4407823d5ca9a8367f5ce07610a3b070b18e2b4
Result
Threat name:
Poisonivy
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181887
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide the console window
DLL side loading technique detected
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Poisonivy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814719 Sample: PDF_Reserva.vbs Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Yara detected Poisonivy 2->90 92 2 other signatures 2->92 8 wscript.exe 3 2->8         started        13 wscript.exe 3 2->13         started        process3 dnsIp4 64 paste.ee 188.114.97.3, 443, 49696 CLOUDFLARENETUS European Union 8->64 58 C:\Users\...\PDF_Reserva_2023224144954.vbs, Unicode 8->58 dropped 96 System process connects to network (likely due to code injection or exploit) 8->96 98 VBScript performs obfuscated calls to suspicious functions 8->98 100 Windows Shell Script Host drops VBS files 8->100 102 Drops VBS files to the startup folder 8->102 15 wscript.exe 4 8->15         started        60 PDF_Reserva_202322...4_2023224145042.vbs, Unicode 13->60 dropped 104 Wscript called in batch mode (surpress errors) 13->104 20 wscript.exe 3 13->20         started        file5 signatures6 process7 dnsIp8 66 188.114.96.3, 443, 49699, 49700 CLOUDFLARENETUS European Union 15->66 68 paste.ee 15->68 52 C:\Users\user\AppData\Local\...\dynwrapx.dll, PE32 15->52 dropped 54 C:\Users\...\PDF_Reserva_2023224145030.vbs, Unicode 15->54 dropped 72 System process connects to network (likely due to code injection or exploit) 15->72 74 VBScript performs obfuscated calls to suspicious functions 15->74 76 Windows Shell Script Host drops VBS files 15->76 84 2 other signatures 15->84 22 winhlp32.exe 1 15->22         started        26 winhlp32.exe 1 15->26         started        28 winhlp32.exe 15->28         started        36 3 other processes 15->36 70 paste.ee 20->70 56 PDF_Reserva_202322...4_2023224145121.vbs, Unicode 20->56 dropped 78 Writes to foreign memory regions 20->78 80 Allocates memory in foreign processes 20->80 82 DLL side loading technique detected 20->82 30 winhlp32.exe 20->30         started        32 winhlp32.exe 20->32         started        34 winhlp32.exe 20->34         started        38 3 other processes 20->38 file9 signatures10 process11 dnsIp12 62 141.95.84.40, 49701, 8888 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 22->62 94 Contains functionality to hide the console window 22->94 40 conhost.exe 22->40         started        42 conhost.exe 26->42         started        44 WerFault.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 WerFault.exe 34->50         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc4096fc2241907a747764d2f4407823d5ca9a8367f5ce07610a3b070b18e2b4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrajn7bcigihu5dxmtjpiqdyepk4vgudm7244b3bbi5qocyy4k2a._file
Verdict:
malicious
Similar samples:
2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
PoisonIvy
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
PoisonIvy
7ae649393a0e8146b5d757be5088e46013370615f13e78147e6221b63903684d
PoisonIvy
8f5cb33b00611c1f69f43241fc7193c0d633387deca7539005a1f71b6fee2394
PoisonIvy
a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64
PoisonIvy
a8df56b7dd55d5e18c8a4aceb72729b062768d5dc57f56f1a3249ce5577825b7
PoisonIvy
edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
PoisonIvy
fa2e0066a72e409c12bb2f71eb282d8feb9cf7a956ed51a22a69c4a43c7a9dba
PoisonIvy
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230224-qx2wtadd7z/
Behaviour
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Registers COM server for autorun
Blocklisted process makes network request
Malware family:
PoisonIvy
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc4096fc2241/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc4096fc2241907a747764d2f4407823d5ca9a8367f5ce07610a3b070b18e2b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369471/

Comments