MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6
SHA3-384 hash: 414c7206361bdeb7e2b059798b0716e04114d557271c21150e88e0e3fedc2d4ee813ccf7150558cffb32cff3e4a1fab4
SHA1 hash: d39ad230cb0b9b835b67f4d72f6529b7303eb540
MD5 hash: a128985011dffc2326ad08350e6a332b
humanhash: two-edward-freddie-jig
File name:Bangladesh Air Force Procurement Plan 2026.vbs
Download: download sample
File size:79'562 bytes
First seen:2026-03-12 12:29:46 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:YSHLj7dh2NmXQpipw6skXAqYyA3fO6/WmmoS0BYSWQ3Cewfy/1OqJAJPVq:YUj7DamApipq3fO6/WmmoS0BwQ3CewKZ
TLSH T11973B500A3E81345F9F77F45A97E44244A37BE69DD35CAAD809D888E07B39058DB6F32
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter smica83
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57203/
Detection(s):
Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b2b1eb9872190419bfa1fc
Tags:
shell agent sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint lolbin schtasks wscript
Link:
https://www.filescan.io/uploads/69b2b1e64ec2f522cc47170d/reports/dcca84eb-b3e8-4d27-9173-0a851d622eb6/overview
Verdict:
Malicious
Labled as:
HEUR_TrojanDownloader_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Trojan-Dropper.Win32.Agent.sb Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan-Spy.MetaStealer.HTTP.C&C Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1882583
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Self deletion via cmd or bat file
Sigma detected: Register Wscript In Run Key
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1882583 Sample: Bangladesh Air Force Procur... Startdate: 12/03/2026 Architecture: WINDOWS Score: 100 50 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->50 52 checkip.check-ip.aws.a2z.com 2->52 54 2 other IPs or domains 2->54 70 Sigma detected: Register Wscript In Run Key 2->70 72 Suricata IDS alerts for network traffic 2->72 74 Uses known network protocols on non-standard ports 2->74 76 5 other signatures 2->76 8 wscript.exe 1 21 2->8         started        12 wscript.exe 2->12         started        14 chrome.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 42 C:\Users\user\AppData\...\wupdate_helper.vbs, Unicode 8->42 dropped 44 C:\Users\user\AppData\...\vps_transfer.ps1, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\vps_c2.ps1, ASCII 8->46 dropped 48 3 other malicious files 8->48 dropped 78 VBScript performs obfuscated calls to suspicious functions 8->78 80 Suspicious powershell command line found 8->80 82 Wscript starts Powershell (via cmd or directly) 8->82 84 7 other signatures 8->84 18 chrome.exe 8->18         started        21 powershell.exe 16 8->21         started        23 powershell.exe 14 15 8->23         started        25 4 other processes 8->25 signatures6 process7 dnsIp8 56 192.168.2.5, 138, 443, 49172 unknown unknown 18->56 27 chrome.exe 18->27         started        58 149.104.104.244, 49711, 49718, 49728 COGENT-174US United States 21->58 30 conhost.exe 21->30         started        60 checkip.us-east-1.prod.check-ip.aws.a2z.com 98.95.61.46, 49710, 80 TWC-11351-NORTHEASTUS United States 23->60 62 api.ipify.org 104.26.12.205, 443, 49713 CLOUDFLARENETUS United States 23->62 32 conhost.exe 23->32         started        34 conhost.exe 25->34         started        36 conhost.exe 25->36         started        38 conhost.exe 25->38         started        40 2 other processes 25->40 process9 dnsIp10 64 downloadplaclouddata.com 162.244.93.6, 443, 49698, 49699 PONYNETUS United States 27->64 66 hdwebv6.mail.ntes53.netease.com 103.129.252.49, 443, 49723, 49724 NETEASE-AS-APNETEASEHONGKONGLIMITEDHK Hong Kong 27->66 68 2 other IPs or domains 27->68
Score:
85%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-11 21:00:27 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzvxuq5pn6rbu3eb7psve3zp3p4lrfokd7kn6rgiihs64d655tla._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/260312-pppqvadw8s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
http://149.104.104.244:8443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce6b7a43af6fa21a6c81fbe5526f2fdbf8b895ca1fd4df44c841e5ee0fddecd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57203/

Comments