MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PhoenixStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4
SHA3-384 hash: 4a830177aa1df13159314996016e47a24973dd9711333cb0f792aaed1b8fdee8e507f3309c31e4e6fe924ac65f00e287
SHA1 hash: ccb4d3437215fc4f7c48931d90737545d860ad43
MD5 hash: c7e1096c91970b63cd36bb3d38e2e6be
humanhash: texas-alabama-equal-may
File name:Docs79902865-INVPKL.vbs
Download: download sample
Signature PhoenixStealer
Create hunting rule
File size:342'698 bytes
First seen:2026-06-15 17:04:38 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:mjfWI+tXmd5DKdWpkH9MDRTq4onw54TZr7pzE89QwR0BGJvlT:mjfWI0XmrDKMpkHGD84onwAV7ppQwR0O
TLSH T1DF744A343DFA5019B173EE559BE478EADA6FB7B3370A541D1091038A0B13A81EDD263E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:PhoenixStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70853/
Detection(s):
SecuriteInfo.com.VBS.Agent-107.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3030ed34eaf30d8ce6692b
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6a3030f21f652d6865815933/reports/4a8ae649-51e6-421e-840d-29f3675ef8a0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-15T10:34:00Z UTC
Last seen:
2026-06-15T13:44:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4/results?tab=lookup
Result
Threat name:
RDPWrap Tool, Clipboard Hijacker, Phoeni
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928250
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Phoenix Stealer
Yara detected RDPWrap Tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928250 Sample: Docs79902865-INVPKL.vbs Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 34 www.controliumbt.com 2->34 36 ip-api.com 2->36 38 controliumbt.com 2->38 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 8 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->64 66 Suspicious execution chain found 10->66 68 2 other signatures 10->68 13 conhost.exe 10->13         started        process6 process7 15 powershell.exe 15 32 13->15         started        dnsIp8 40 155.117.183.31, 4449, 49730 WINDSTREAM-WindstreamCommunicationsLLCUS United States 15->40 42 controliumbt.com 185.181.252.118, 443, 49719 WHG-USE1GB United States 15->42 44 ip-api.com 208.95.112.1, 49729, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 15->44 28 C:\Users\user\AppData\...\cookies.sqlite-shm, data 15->28 dropped 30 BeneficialPackingB...vbs:Zone.Identifier, ASCII 15->30 dropped 32 C:\Users\...\BeneficialPackingBasename.vbs, Unicode 15->32 dropped 46 Creates an undocumented autostart registry key 15->46 48 Contains functionality to start a terminal service 15->48 50 Contains functionality to hide user accounts 15->50 52 7 other signatures 15->52 20 msedge.exe 3 15->20         started        22 chrome.exe 1 15->22         started        file9 signatures10 process11 process12 24 msedge.exe 20->24         started        26 chrome.exe 22->26         started       
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlzlr7pk3e2kponsuuu6smg4qpv2ucawfvkqy24gidks4lez5psa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence
Link:
https://tria.ge/reports/260615-vl88zadt3w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf2b8fdead934a7b9b2a529e930dc83ebaa08162d550c6b8640d52e2c99ebe4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70853/

Comments