MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf
SHA3-384 hash: e7962d7767392036d07a00bce9851fa5c1f30b29a5a6cb4b4fa520e0133a49abbc877c4591f0d31012b58d2dab0c9a1e
SHA1 hash: 6a6d01a0523059e270adae4f6511e0490f84b16b
MD5 hash: 9775b12be2c5f6a1152f2450c8d888d5
humanhash: stream-carbon-winter-september
File name:S_D_09887766766676.vbs
Download: download sample
File size:325'564 bytes
First seen:2023-08-22 07:43:43 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:zJnbA84EAnAlAjAsaZABSiWIr/0VwyC4gC4g94gMEqCBLrDI4b4t7isnlbUHAvza:zJnbA84EAnAlAjAsaZABSiWIL0VdmfwH
Threatray 10 similar samples on MalwareBazaar
TLSH T14464BB1051EF628CF1B37F5307ED68F88F6BB6A15A3A925D215C030A8B97D40CE56B72
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444071/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-JG.28814.20048.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Script.Hworm
Link:
https://www.hybrid-analysis.com/sample/d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294944
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294944 Sample: S_D_09887766766676.vbs Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Sigma detected: Drops script at startup location 2->62 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 66 VBScript performs obfuscated calls to suspicious functions 8->66 68 Suspicious powershell command line found 8->68 70 Wscript starts Powershell (via cmd or directly) 8->70 13 cmd.exe 1 8->13         started        16 powershell.exe 8->16         started        72 Very long command line found 11->72 18 cmd.exe 1 11->18         started        20 powershell.exe 5 11->20         started        process5 signatures6 80 Wscript starts Powershell (via cmd or directly) 13->80 82 Uses ping.exe to sleep 13->82 84 Uses ping.exe to check the status of other devices and networks 13->84 22 cmd.exe 1 13->22         started        25 PING.EXE 1 13->25         started        28 conhost.exe 13->28         started        86 Suspicious powershell command line found 16->86 30 powershell.exe 16->30         started        32 conhost.exe 16->32         started        34 cmd.exe 1 18->34         started        40 2 other processes 18->40 36 powershell.exe 14 15 20->36         started        38 conhost.exe 20->38         started        process7 dnsIp8 64 Wscript starts Powershell (via cmd or directly) 22->64 42 powershell.exe 9 22->42         started        50 127.0.0.1 unknown unknown 25->50 52 192.210.175.4, 49743, 49744, 80 AS-COLOCROSSINGUS United States 30->52 46 powershell.exe 9 34->46         started        54 uploaddeimagens.com.br 188.114.97.7, 443, 49734, 49735 CLOUDFLARENETUS European Union 36->54 signatures9 process10 file11 48 C:\Users\user\AppData\Roaming\...\KWU.vbs, Unicode 42->48 dropped 74 Suspicious powershell command line found 42->74 76 Drops VBS files to the startup folder 42->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 42->78 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf/
Threat name:
Script-WScript.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-22 07:44:07 UTC
File Type:
Text (VBS)
AV detection:
1 of 38 (2.63%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2l3u3o4uj22wthpimg3qis22vhe7hecnczv5vnyfuqbewc6dj2xq._file
Verdict:
malicious
Similar samples:
044cb562792bad9d4aa1fa99fcb642ed6bf4dd49af86938b75add85d021fa101
2177882a8fb4bd06c84f61e81cb2fdf862e88f0a86b66a10faa88801696422cd
5d0c01b1ceef88fb8963383443d7b833df48e10f8708edbfadb457c4ca99ffb4
94ecbf6f04ad4476d6b032a83b96f93897af0e16821b76802aaafb11677ad836
9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46
ac9e25f541065a26fb3dcb26ac76ca5c5ffd44a03973a07f049730f0760d4b04
e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230822-jktlcaag34/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Visual Basic Script (vbs) vbs d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444071/

Comments