MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98
SHA3-384 hash: 5172f706c24f7e3ef8199412bfdbff776039c1d6252978ae61af787367442c9dbd27e79333fddcfb454cb5adec8362dd
SHA1 hash: 9d272c3a42a267cfad28f990e41526ad1b993aaa
MD5 hash: 8f8483961c57438cf1a460e4c4f0b328
humanhash: bravo-winter-kansas-saturn
File name:trqd_81.vbs
Download: download sample
File size:2'732 bytes
First seen:2026-02-17 07:21:32 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:a82bsaQZAONd6ddoLTPErVsBAE8aifLv/thIJnf1kcW78uvLa6UC:5gdddSgsYfLkFajvL3
TLSH T1B551815A9F0DA27D49604343CB2BBD4DC7E8557E6300A824BD9CE48C672832CC2E91DB
Magika vba
Reporter abuse_ch
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53526/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699360d80d0369ff9979f73d
Tags:
dropper emotet spawn blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin msiexec wscript
Link:
https://www.filescan.io/uploads/69941728930564ff3ca51faf/reports/00b1e17a-4a09-4e21-83ab-7a5a2c08e34e/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.VBS.SAgent.gen Trojan.JS.SAgent.sb not-a-virus:HEUR:RemoteAdmin.Win32.GoToResolve.gen
Link:
https://opentip.kaspersky.com/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1870261
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Enables network access during safeboot for specific services
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Query firmware table information (likely to detect VMs)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1870261 Sample: trqd_81.vbs Startdate: 17/02/2026 Architecture: WINDOWS Score: 100 93 pub-8dc73645e8a9477fa0fad237f3a9c54f.r2.dev 2->93 95 zerotrust.services.gotoresolve.com 2->95 97 10 other IPs or domains 2->97 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Potential malicious VBS script found (suspicious strings) 2->111 113 3 other signatures 2->113 9 wscript.exe 1 2->9         started        12 msiexec.exe 80 34 2->12         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 121 VBScript performs obfuscated calls to suspicious functions 9->121 123 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->123 125 WScript reads language and country specific registry keys (likely country aware script) 9->125 20 wscript.exe 3 9->20         started        85 C:\Windows\Installer\MSI61DA.tmp, PE32 12->85 dropped 87 C:\Windows\Installer\MSI60EF.tmp, PE32 12->87 dropped 89 C:\...\unattended-updater.exe, PE32 12->89 dropped 25 unattended-updater.exe 1 71 12->25         started        27 msiexec.exe 12->27         started        29 drvinst.exe 15->29         started        91 127.0.0.1 unknown unknown 17->91 127 Query firmware table information (likely to detect VMs) 17->127 129 Changes security center settings (notifications, updates, antivirus, firewall) 17->129 31 GoToResolveUnattended.exe 17->31         started        33 GoToResolveUnattendedUi.exe 17->33         started        35 MpCmdRun.exe 17->35         started        37 GoToResolveCrashHandler.exe 17->37         started        file6 signatures7 process8 dnsIp9 99 pub-8dc73645e8a9477fa0fad237f3a9c54f.r2.dev 104.18.54.45, 443, 49692 CLOUDFLARENETUS United States 20->99 67 C:\Windows\Temp\SC_InstallActivity.log, ASCII 20->67 dropped 69 C:\Windows\Temp\SC_Client.msi, Composite 20->69 dropped 115 System process connects to network (likely due to code injection or exploit) 20->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->117 119 WScript reads language and country specific registry keys (likely country aware script) 20->119 39 msiexec.exe 1 20->39         started        71 C:\...behaviorgraphoToResolveProcessChecker.exe, PE32 25->71 dropped 73 C:\Program Files (x86)\...\g2rvdd.dll, PE32 25->73 dropped 75 C:\Program Files (x86)\...\g2rvdd.dll, PE32+ 25->75 dropped 83 38 other files (none is malicious) 25->83 dropped 41 GoToResolveUnattended.exe 1 38 25->41         started        43 cmd.exe 25->43         started        45 GoToResolveTools64.exe 1 14 25->45         started        77 C:\Windows\System32\...\g2rvdd.dll (copy), PE32+ 29->77 dropped 79 C:\Windows\System32\...\SETA55B.tmp, PE32+ 29->79 dropped 101 devices.console.gotoresolve.com 18.214.85.190, 443, 49709 AMAZON-AESUS United States 31->101 103 anofutxkwzrm2-ats.iot.us-east-1.amazonaws.com 54.204.16.139, 443, 49730, 49732 AMAZON-AESUS United States 31->103 81 C:\Windows\System32behaviorgraphoToResolveUnlock64.dll, PE32+ 31->81 dropped 47 GoToResolveNetworkChecker.exe 31->47         started        50 GoToResolveLoggerProcess.exe 31->50         started        56 6 other processes 31->56 52 GoToResolveCrashHandler.exe 33->52         started        54 conhost.exe 35->54         started        file10 signatures11 process12 dnsIp13 58 GoToResolveProcessChecker.exe 41->58         started        61 conhost.exe 43->61         started        63 timeout.exe 43->63         started        65 GoToResolveCrashHandler.exe 45->65         started        105 dumpster.console.gotoresolve.com 18.205.132.2, 443, 49710, 49712 AMAZON-AESUS United States 47->105 process14 signatures15 131 Enables network access during safeboot for specific services 58->131
Score:
8%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream Scripting.FileSystemObject Shell.Application VBScript WinHttp.WinHttpRequest.5.1 WScript.Shell
Link:
https://app.malva.re/file/8f8483961c57438cf1a460e4c4f0b328
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=242a43v5ofmqzkn7rsdezzt4hxhpcw2jhi3hsnznwvreja6ivwma._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor defense_evasion discovery execution persistence privilege_escalation rat spyware trojan
Link:
https://tria.ge/reports/260217-h7fsbsbs7a/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Checks system information in the registry
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Detects GoToResolve remote administration tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/d7340e6ebd71590ca9bf8c864ce67c3dcef15b493a3679372db5624483c8ad98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53526/

Comments