MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1ba58b59bc40604a563a09c494b74dd4145a17649c1bab0ed2a671dbe344fa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments

SHA256 hash: e1ba58b59bc40604a563a09c494b74dd4145a17649c1bab0ed2a671dbe344fa0
SHA3-384 hash: 6a8fe7705ddc372d0ef3237b00e89eb9e5daf3fa5185dbaae7d6d252d7f4469bbb46854304dea8f703fef0143062c3e5
SHA1 hash: daffd1a57a68d13fd10334ee7f5571909af00fa6
MD5 hash: 24e56ed26c65dc517ae0aadef2c2b364
humanhash: venus-fruit-fruit-table
File name:Releve__ID9925568540201.vbs
Download: download sample
File size:9'494 bytes
First seen:2022-04-15 07:48:07 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:m8pQQmC7yd6F6PX1385Re+58eGI56HEl5e8BQsHEl5e8QhQ+5zR76y5n8QX1385t:m8pr7yJkkcgCiQumhcZxg6cjfmATxqGW
TLSH T135129012043C5BF6D3DA482899E66FE86E7873E3A3CBF504D3A96C89153D20D57206ED
Reporter abuse_ch
Tags:vbs


Avatar
abuse_ch
Payload URL:
https://pastetext.net/raw/cuwgtoc2dj

Intelligence


File Origin
# of uploads :
1
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl
Score:
80 / 100
Signature
Drops VBS files to the startup folder
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609824 Sample: Releve__ID9925568540201.vbs Startdate: 15/04/2022 Architecture: WINDOWS Score: 80 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Drops script at startup location 2->49 51 2 other signatures 2->51 7 wscript.exe 1 2->7         started        10 wscript.exe 1 2->10         started        12 wscript.exe 1 2->12         started        process3 signatures4 53 Wscript starts Powershell (via cmd or directly) 7->53 14 powershell.exe 14 18 7->14         started        19 powershell.exe 10->19         started        21 powershell.exe 6 12->21         started        process5 dnsIp6 41 pastetext.net 188.114.96.7, 443, 49776 CLOUDFLARENETUS European Union 14->41 37 C:\Users\Public\cuwgtoc2dj.PS1, UTF-8 14->37 dropped 43 Drops VBS files to the startup folder 14->43 23 powershell.exe 24 14->23         started        27 conhost.exe 14->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        file7 signatures8 process9 dnsIp10 39 185.81.157.65, 49783, 49786, 7780 INU-ASFR France 23->39 33 C:\Users\...behaviorgraphoogleChromeUpdateHandlerx64.vbs, ASCII 23->33 dropped 35 C:\Users\...behaviorgraphoogleChromeUpdateHandler.vbs, ASCII 23->35 dropped file11
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2022-04-15 07:49:07 UTC
File Type:
Text (VBS)
AV detection:
1 of 42 (2.38%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://pastetext.net/raw/cuwgtoc2dj
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments