MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8
SHA3-384 hash:	793624d238732194393f28025eb0941308409e7b568585c174635c171c7d814c90ea57bf52b7c39091e158fcddae0e9f
SHA1 hash:	307e039164b82807414fc9f1052b47b4626bfbc5
MD5 hash:	c071a567f1d9c6cba7cc9d3e50d24418
humanhash:	wisconsin-fanta-nuts-victor
File name:	SSA Secure Access.vbs
Download:	download sample
File size:	38'866 bytes
First seen:	2025-12-04 21:02:36 UTC
Last seen:	2025-12-05 16:32:07 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	384:23wt1tgCmKXMgutiPcIfjmdBmf6pNp4Kdm4dwvIFSX3OVhhCIayQd8XA50QKV2ND:7XMrclSzp4KLCnAQ6w+AN8V2T
Threatray	1'072 similar samples on MalwareBazaar
TLSH	T12D03EB5B1E28EDD0338F7A78AE9C619012D0DB5F6FB391A1D04BC5B12F229A874047B3
Magika	vba
Reporter	Anonymous
Tags:	vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42578/

Detection(s):

Vbs.Downloader.Fajan-9852006-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6930816a16e6db515e466277

Tags:

connectwise obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive obfuscated

Link:

https://www.filescan.io/uploads/6931f719982bc3778f2e6659/reports/99360c96-e6d5-4e90-b697-8c28488d134f/overview

Verdict:

Malicious

Labled as:

Trojan/VBS.Obfuscated

Link:

https://www.hybrid-analysis.com/sample/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8

Verdict:

Malicious

File Type:

vbs

First seen:

2025-12-03T15:31:00Z UTC

Last seen:

2025-12-03T15:59:00Z UTC

Hits:

~10

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic Trojan-Downloader.Agent.HTTP.C&C Trojan-Downloader.JS.SLoad.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.Win32.Agent.sb Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen

Link:

https://opentip.kaspersky.com/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8/results?tab=lookup

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8

Verdict:

Malware

YARA:

1 match(es)

Tags:

DeObfuscated Obfuscated T1059.005 VBS Execute Sub-Script VBScript

Link:

https://app.malva.re/file/c071a567f1d9c6cba7cc9d3e50d24418

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8/

Verdict:

Malicious

Threat:

Trojan-Downloader.JS.ConnectWise

Link:

https://tip.neiki.dev/file/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8

Threat name:

Script-WScript.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-12-03 18:28:59 UTC

File Type:

Text (VBS)

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=52uz6ivmuhv6isnzp6vp46p5dvxhcra4zradcwromkjib5s54d4a._file

Verdict:

suspicious

Label(s):

admintool_screenconnect

3c46671af655e0a0b864208dd7a2ab5cd5a9d1f095c1b2fc0f7882d62ddae275

64049e058f3414066b1b68f84306ec307670b4e93543888b6e40d8e18b74b718

64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad

a0c8f8770fffd941b3e123023432e275aea210a7ab71a6bce5be890861f054c2

error

f28a060cd841574451960ddc5f2a706526597e361b1a7eb86245488aaa431014

+ 1'062 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery execution persistence privilege_escalation ransomware rat revoked_codesign

Link:

https://tria.ge/reports/251204-zv6xesej6t/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample