MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888
SHA3-384 hash: c6ae33a52422066ef77f4aac5a0a3a228dc9b3fb8416ebcbb3d0692a3afd225bb3197e5e0c4363fe1cde6e6564545d16
SHA1 hash: 8afd6088c413e96e1c2d4321e70347642fc9301d
MD5 hash: 1c201a6b01fa0ec9eae77658c54c7931
humanhash: xray-edward-east-florida
File name:dn.vbs
Download: download sample
File size:667 bytes
First seen:2025-12-14 06:07:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:9vWdgBK1HerhB08YakHrTVGFQfoZifaZCCcsBZgGS9HHCD:9AQhV7knMQGntcscGWHA
TLSH T1F201D307D6078EE3467002EC45D4D507DE89C4371255593CBD68D015BB288F0B9F46DF
Magika vba
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44580/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693e544fa62a7a3aa046c624
Tags:
trojandownloader virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msiexec ping
Link:
https://www.filescan.io/uploads/693e544e1eac7b9b76a95730/reports/c58b847e-ade6-4243-9c86-c412d513521c/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888
Verdict:
Malicious
File Type:
vbs
First seen:
2025-12-14T02:58:00Z UTC
Last seen:
2025-12-14T12:08:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.VBS.SLoad.gen UDS:DangerousObject.Multi.Generic Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832343
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell create lnk in startup
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832343 Sample: dn.vbs Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 64 w2li.xyz 2->64 66 nodejs.org 2->66 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: Powershell create lnk in startup 2->80 84 10 other signatures 2->84 11 wscript.exe 2 2->11         started        16 msiexec.exe 75 36 2->16         started        18 powershell.exe 2->18         started        signatures3 82 Performs DNS queries to domains with low reputation 64->82 process4 dnsIp5 68 103.27.157.60, 49718, 5506 VECTANTARTERIANetworksCorporationJP Japan 11->68 62 C:\Windows\Temp\upd1412_7054.msi, Composite 11->62 dropped 108 System process connects to network (likely due to code injection or exploit) 11->108 110 VBScript performs obfuscated calls to suspicious functions 11->110 112 Wscript starts Powershell (via cmd or directly) 11->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->114 20 cmd.exe 1 11->20         started        23 msiexec.exe 11->23         started        25 cmd.exe 1 16->25         started        27 cmd.exe 18->27         started        29 conhost.exe 18->29         started        file6 signatures7 process8 signatures9 86 Uses ping.exe to sleep 20->86 88 Bypasses PowerShell execution policy 20->88 90 Uses ping.exe to check the status of other devices and networks 20->90 31 PING.EXE 1 20->31         started        34 conhost.exe 20->34         started        92 Suspicious powershell command line found 25->92 94 Wscript starts Powershell (via cmd or directly) 25->94 36 powershell.exe 22 1002 25->36         started        39 conhost.exe 25->39         started        41 node.exe 27->41         started        process10 dnsIp11 72 127.0.0.1 unknown unknown 31->72 74 nodejs.org 172.66.128.70, 443, 49719 CLOUDFLARENETUS United States 36->74 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 36->98 100 Powershell creates an autostart link 36->100 102 Loading BitLocker PowerShell Module 36->102 43 node.exe 1 36->43         started        47 setx.exe 1 36->47         started        signatures12 process13 dnsIp14 70 w2li.xyz 93.113.25.169, 49728, 49729, 49732 SIMPLIQ-ASRO Romania 43->70 104 Suspicious powershell command line found 43->104 106 Unusual module load detection (module proxying) 43->106 49 powershell.exe 15 43->49         started        52 node.exe 2 43->52         started        signatures15 process16 file17 58 C:\Users\user\AppData\Roaming\...\1212.lnk, MS 49->58 dropped 54 conhost.exe 49->54         started        60 C:\Users\user\...\8f42fdde60222ec1.node, PE32+ 52->60 dropped 56 powershell.exe 52->56         started        process18
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream MSXML2.ServerXMLHTTP.6.0 VBScript WScript.Shell
Link:
https://app.malva.re/file/1c201a6b01fa0ec9eae77658c54c7931
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888/
Verdict:
Malicious
Threat:
Trojan-Downloader.VBS.SLoad
Link:
https://tip.neiki.dev/file/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888
Threat name:
Script-WScript.Downloader.DeerStealer
Create hunting rule
Status:
Malicious
First seen:
2025-12-14 06:21:13 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23bpwtuvj2tcpvk7hmt2cz2xhves47radtfxbjttse2dx674fcea._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/251214-gv2nlaew5e/
Behaviour
Checks processor information in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates connected drives
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://nodejs.org/dist/v22.16.0/node-v22.16.0-win-x64.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Visual Basic Script (vbs) vbs d6c2fb4e954ea627d55f3b27a167573d492e7e201ccb70a67391343bfbfc2888

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3733376/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44580/

Comments