MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1
SHA3-384 hash: de98eeaf3fe361ce094ba4bb2eb14f852bc2eea31bc11fc67cbc12446966743508f45f1128dbf45234617ef8ca79c3cc
SHA1 hash: 71794a0fdc7d789254802894670d8596394f1c75
MD5 hash: 1f9b3ef5cec863000853e06467921ff7
humanhash: spaghetti-michigan-louisiana-chicken
File name:31agosto.vbs
Download: download sample
File size:1'102 bytes
First seen:2026-03-05 19:05:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:KXnAKqahwAAT2Fpc0K5NU9RGUimUwn/zii9nJswC9KVk6Uwn/zii9nJ7wC9vZ44:NBp90YNIGfmdJJC9KVk6dJkC9hT
TLSH T11F116A15DC02A9A75E5776E8CA130A18DC79F93B4059A80DB714CE492E359F8B1607E3
Magika vba
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Coin
Details
Link:
https://research.acce.ciphertechsolutions.com/results/85481d76-d1c8-4cd2-b736-2ba61b5e0843/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55748/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a9d437e1f958bf668401ed
Tags:
trojandownloader dropper html
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69a9d43210e80629d4fdf6be/reports/5e22781e-9c7a-4996-92b0-160178517c1a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.VBS.Agent.gen
Link:
https://opentip.kaspersky.com/beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1/results?tab=lookup
Result
Threat name:
RDPWrap Tool
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1879206
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected RDPWrap Tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1879206 Sample: 31agosto.vbs Startdate: 05/03/2026 Architecture: WINDOWS Score: 100 47 purerat32.duckdns.org 2->47 49 pruebas2026.duckdns.org 2->49 51 8 other IPs or domains 2->51 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 73 19 other signatures 2->73 9 wscript.exe 3 17 2->9         started        signatures3 71 Uses dynamic DNS services 49->71 process4 dnsIp5 57 esvpotfvg0.ufs.sh 172.67.184.177, 443, 49716, 49729 CLOUDFLARENETUS United States 9->57 39 C:\Users\user\AppData\Local\Temp\tmp2.vbs, Unicode 9->39 dropped 41 C:\Users\user\AppData\Local\Temp\tmp1.vbs, Unicode 9->41 dropped 43 C:\Users\user\AppData\...\repepol[1].vbs, Unicode 9->43 dropped 45 C:\Users\user\AppData\Local\...\polif[1].vbs, Unicode 9->45 dropped 91 System process connects to network (likely due to code injection or exploit) 9->91 93 VBScript performs obfuscated calls to suspicious functions 9->93 95 Suspicious powershell command line found 9->95 97 8 other signatures 9->97 14 wscript.exe 9->14         started        16 wscript.exe 9->16         started        file6 signatures7 process8 signatures9 19 powershell.exe 7 15 14->19         started        23 powershell.exe 7 15 14->23         started        63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->63 process10 dnsIp11 53 zifg62sw71.ufs.sh 104.21.43.201, 443, 49731 CLOUDFLARENETUS United States 19->53 55 raw.githubusercontent.com 185.199.109.133, 443, 49727, 49728 FASTLYUS Netherlands 19->55 75 Writes to foreign memory regions 19->75 77 Injects a PE file into a foreign processes 19->77 25 MSBuild.exe 19->25         started        28 MSBuild.exe 2 19->28         started        31 conhost.exe 19->31         started        79 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 23->79 33 MSBuild.exe 2 23->33         started        35 conhost.exe 23->35         started        37 MSBuild.exe 23->37         started        signatures12 process13 dnsIp14 81 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 25->81 83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->83 85 Contains functionality to register a low level keyboard hook 25->85 89 2 other signatures 25->89 59 pruebas2026.duckdns.org 186.169.95.143, 3025, 49732, 49734 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 28->59 87 Installs a global keyboard hook 28->87 61 purerat32.duckdns.org 191.107.86.202, 2023 ASDETUKhttpwwwheficedcomGB Colombia 33->61 signatures15
Score:
89%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-05 19:06:28 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x23jphln4h6kemw76ympuc7qrnrwrbwmannprhoiokixnbbza7aq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260305-xr9g2aaw9x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Contacts third-party web service commonly abused for C2
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Visual Basic Script (vbs) vbs beb6979d6de1fca232dff618fa0bf08b636886cc035af89dc8729176843907c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3626699/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3724301/
Cape
Cape
https://www.capesandbox.com/analysis/55748/

Comments


Avatar
commented on 2026-03-06 11:39:51 UTC

Payload URLs:
https://esvpotfvg0.ufs.sh/f/okyTib8Lmo0CqK3eVDlBZJflCVTk6c3Evo0xYW49redmB8Xu
https://esvpotfvg0.ufs.sh/f/okyTib8Lmo0C3woZNTCOME9sySIDUnBdqjNx6cQ7ZV4Plviz
https://esvpotfvg0.ufs.sh/f/okyTib8Lmo0CnucuMLoxD2RvxUO3ZhpN7awT5A9VJfbLuQ4K
https://esvpotfvg0.ufs.sh/f/okyTib8Lmo0CkkKwp433KzJrq5ANjPuyeWihp21ZQsTDklSf
https://esvpotfvg0.ufs.sh/f/okyTib8Lmo0CigHpqVz5lMqT3DwY8G1OtbPRQgF6v0U2oBhj
https://zifg62sw71.ufs.sh/f/WD5aU82s08Cwa6RXv8N4EY2hVBsoUwGM6XuAeWibTC9DNZnl