MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7
SHA3-384 hash: f93140f1d7c47961c747de6564e7fec60c081ed265e5074404ab8640396661ca36204a05658dd55dba3e36fae9a4fb07
SHA1 hash: 62a51b84e2e88d670b6b465c82e787cc69793ae0
MD5 hash: 718195006bc0653c79ba17f6ba4f0dfe
humanhash: alpha-island-kentucky-utah
File name:Dopey.vbs
Download: download sample
File size:21'137 bytes
First seen:2022-11-10 07:25:36 UTC
Last seen:2022-11-14 13:42:19 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:RGeYxj6EV77s16PWLmN5GRryl14Gc8/oC7kmiHIg+pQxRtq0O0xts:VEh81bryl2Gc8/Zpgq/MK
Threatray 3'118 similar samples on MalwareBazaar
TLSH T19592D2A14CA82A57A9AB61F3A75E6279F45C11F7841640F63C1FF1B00D2D3243D6C89F
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331757/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.VBS.SAgent.gen.11178.18509.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/636ca78c37a53af3a7f54b58/reports/5909c4f3-96a3-446a-9c5f-a7abfe54751c/overview
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1110129
Signature
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742813 Sample: Dopey.vbs Startdate: 10/11/2022 Architecture: WINDOWS Score: 80 36 Malicious sample detected (through community Yara rule) 2->36 38 Sigma detected: Dot net compiler compiles file from suspicious location 2->38 40 Potential malicious VBS script found (suspicious strings) 2->40 8 wscript.exe 1 2->8         started        process3 signatures4 42 VBScript performs obfuscated calls to suspicious functions 8->42 44 Wscript starts Powershell (via cmd or directly) 8->44 46 Obfuscated command line found 8->46 48 Very long command line found 8->48 11 powershell.exe 15 24 8->11         started        15 cmd.exe 1 8->15         started        process5 dnsIp6 34 drive.google.com 142.250.203.110, 443, 49709 GOOGLEUS United States 11->34 32 C:\Users\user\AppData\...\0ybulrw5.cmdline, Unicode 11->32 dropped 17 csc.exe 3 11->17         started        20 WerFault.exe 23 9 11->20         started        22 conhost.exe 11->22         started        24 WerFault.exe 11->24         started        26 conhost.exe 15->26         started        file7 process8 file9 30 C:\Users\user\AppData\Local\...\0ybulrw5.dll, PE32 17->30 dropped 28 cvtres.exe 1 17->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7/
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 01:48:52 UTC
File Type:
Text (VBS)
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynh34w5x3mlrnweth4l37kiuazsqqqymloe4aqfoztfc35gxrddq._file
Verdict:
malicious
Similar samples:
2eafbf195ee3064026099a6f5f6c78aaaae170c9fb81a5f49f501bf0f061cfd4
39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
678f361d622c482253df9b834e978f8f3ca254fc5549381817dc75431005a047
6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb
+ 3'108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221110-h9hppsfgg6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331757/

Comments