MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8fcad382a64ad10f139ba40fa81dc597cd779eda8a6fdadd5125fb96471c5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: ea8fcad382a64ad10f139ba40fa81dc597cd779eda8a6fdadd5125fb96471c5f
SHA3-384 hash: d18c572bfbeb8f6cc289a8cf87346b67af76cdc8faeb8a089d0c4bbe8cb550206b4868e1dc2bc7f0e667aad8f0193b28
SHA1 hash: fb3fb36d9d612c0dfdfddb89c452bd718dc39258
MD5 hash: c491cf88775d9f8e7d4fae087dc68630
humanhash: seventeen-helium-green-saturn
File name:EASTERN_EXPRESS_LOGISTICS_PACKET_NEW.vbs
Download: download sample
File size:153 bytes
First seen:2026-07-18 08:46:49 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3:jeYcRm8nhr2SSJJFItGQqPJH0cVERvMXI3eD3uno6cxpv:jeUqhrK80QO0ceuzunoJL
TLSH T1E7C08C976408A7380A52BAA98626892F8871242A61A88096BB308A08300929CC315283
Magika vba
Reporter smica83
Tags:vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Tags:
shell overt sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Verdict:
Malicious
Labled as:
PowerShell_TrojanDownloader_Agent_GBK_trojan
Verdict:
Malicious
File Type:
vbs
First seen:
2026-07-17T15:28:00Z UTC
Last seen:
2026-07-17T16:47:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates files in the recycle bin to hide itself
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powerup Write Hijack DLL
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1944574 Sample: EASTERN_EXPRESS_LOGISTICS_P... Startdate: 18/07/2026 Architecture: WINDOWS Score: 100 55 google.defenders.workers.dev 2->55 57 ok.app-open.click 2->57 59 8 other IPs or domains 2->59 81 Antivirus detection for URL or domain 2->81 83 Yara detected Powershell download and execute 2->83 85 Sigma detected: WScript or CScript Dropper 2->85 87 2 other signatures 2->87 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 91 VBScript performs obfuscated calls to suspicious functions 9->91 93 Wscript starts Powershell (via cmd or directly) 9->93 95 Bypasses PowerShell execution policy 9->95 99 2 other signatures 9->99 14 powershell.exe 14 1003 9->14         started        97 WScript reads language and country specific registry keys (likely country aware script) 12->97 19 node.exe 12->19         started        process6 dnsIp7 63 google.defenders.workers.dev 172.67.221.51, 443, 49763 CLOUDFLARENET-CloudflareIncUS Canada 14->63 65 nodejs.org 104.16.212.131, 443, 49768 CLOUDFLARENET-CloudflareIncUS Canada 14->65 67 nextjs781.ngrok.app 3.151.250.47, 443, 49769, 49770 AMAZON-02-AmazoncomIncUS United States 14->67 47 C:\Users\user\AppData\Local\Temp\...\nopt.js, a 14->47 dropped 49 C:\Users\user\...\macOS_Catalina_acid_test.sh, Bourne-Again 14->49 dropped 51 C:\Users\user\AppData\Local\...\test_gyp.py, Python 14->51 dropped 53 51 other files (none is malicious) 14->53 dropped 75 Loading BitLocker PowerShell Module 14->75 21 hige_3a9dfddbac554de8b1cf807cf7c557a2.exe 14->21         started        25 conhost.exe 14->25         started        69 gist.githubusercontent.com 185.199.109.133, 443, 49774 FASTLY-FastlyIncUS United States 19->69 71 api.ipify.org 104.26.13.205, 443, 49778 CLOUDFLARENET-CloudflareIncUS Canada 19->71 73 3 other IPs or domains 19->73 77 Suspicious powershell command line found 19->77 79 Tries to harvest and steal browser information (history, passwords, etc) 19->79 27 cmd.exe 19->27         started        29 powershell.exe 19->29         started        31 powershell.exe 19->31         started        33 3 other processes 19->33 file8 signatures9 process10 dnsIp11 61 nextjs2385.ngrok.io 3.17.7.232, 443, 49771, 49772 AMAZON-02-AmazoncomIncUS United States 21->61 89 Creates files in the recycle bin to hide itself 21->89 35 conhost.exe 21->35         started        37 tasklist.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        signatures12 process13
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command DeObfuscated PowerShell PowerShell Call T1027 T1059.001 T1059.005 VBScript WScript.Shell
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Executes a command shell one-liner
Enumerates processes with tasklist
Executes a VBScript file via the Windows Script Host.
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments