MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef6efaa86cc34c9d4d390575c42179b5f680daa0945ac850d62fa8fdbbeaa97c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash: ef6efaa86cc34c9d4d390575c42179b5f680daa0945ac850d62fa8fdbbeaa97c
SHA3-384 hash: f030756f938fb47a7a8da56f253a56256c791bbc438c08f033c4a8f151845627507e03cdb336604f90380f3ab8cea086
SHA1 hash: 9e8069045db096604dc35cf551ae8b8683f75377
MD5 hash: 07260334f87ea73da4bc6bf3e7703e78
humanhash: pasta-crazy-harry-cola
File name:ZIP_Deploy.vbs
Download: download sample
File size:16'362 bytes
First seen:2026-07-03 07:18:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:l7e7CN+b/HQW654TJh2089jtFkfuqhW2m23+vPd+QtTVFBBIAfpQq/F///fWEU7F:l7e78II/0MzqhW2MvPxtTVDBIAQXcG
TLSH T180727F948918C0D0A67A7D6314B371D8F99F4B725F601918BF8F8D0C9F2AB27C0E5B99
Magika vba
Reporter abuse_ch
Tags:vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Tags:
sage blic smtp
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm bitsadmin certutil downloader dropper evasive fingerprint lolbin obfuscated
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-11T23:21:00Z UTC
Last seen:
2026-07-03T12:58:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic Trojan.VBS.Runner.sb Trojan.JS.SAgent.sb Trojan-Downloader.Win32.Bitser.sb Trojan-Downloader.JS.Cryptoload.sb
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Enables network access during safeboot for specific services
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Potential context-aware VBS script found (checks for environment specific values)
Potential malicious VBS script found (suspicious strings)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937099 Sample: ZIP_Deploy.vbs Startdate: 03/07/2026 Architecture: WINDOWS Score: 100 102 cayif.hellokism.click 2->102 104 cl-glcb907925.gcdn.co 2->104 112 Antivirus / Scanner detection for submitted sample 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->116 118 11 other signatures 2->118 10 msiexec.exe 456 210 2->10         started        13 wscript.exe 1 14 2->13         started        16 dcagentservice.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 88 C:\Program Files (x86)\...\dcconfig.exe, PE32 10->88 dropped 90 C:\...\dcagentregister.exe, PE32 10->90 dropped 92 C:\Windows\SysWOW64\dclibxml2.dll, PE32 10->92 dropped 100 16 other files (none is malicious) 10->100 dropped 20 dcagentregister.exe 55 66 10->20         started        24 msiexec.exe 10->24         started        94 C:\Users\Public\Documents\...\shlwapi.dll, PE32+ 13->94 dropped 96 C:\Users\Public\Documents\...\setup1.vbs, ISO-8859 13->96 dropped 98 C:\Users\Public\Documents\...\kernel32.dll, PE32+ 13->98 dropped 132 Benign windows process drops PE files 13->132 134 VBScript performs obfuscated calls to suspicious functions 13->134 136 Potential malicious VBS script found (suspicious strings) 13->136 138 3 other signatures 13->138 26 wscript.exe 1 13->26         started        28 cmd.exe 1 13->28         started        30 dcinventory.exe 16->30         started        32 dcconfig.exe 16->32         started        34 dcusbsummary.exe 16->34         started        38 15 other processes 16->38 36 conhost.exe 18->36         started        signatures6 process7 dnsIp8 106 202.61.160.145, 49737, 49739, 49740 CTGSERVERLIMITED-AS-APCTGServerLimitedHK Japan 20->106 120 Installs new ROOT certificates 20->120 122 Enables network access during safeboot for specific services 20->122 40 7za.exe 20->40         started        44 cmd.exe 20->44         started        46 dcstatusutil.exe 20->46         started        124 WScript reads language and country specific registry keys (likely country aware script) 26->124 48 wscript.exe 1 26->48         started        54 2 other processes 28->54 126 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 30->126 50 conhost.exe 30->50         started        57 2 other processes 32->57 52 dcusb64.exe 34->52         started        59 11 other processes 38->59 signatures9 process10 dnsIp11 78 C:\Program Files (x86)\...\dcstatusutil.exe, PE32 40->78 dropped 80 C:\Program Files (x86)\...\dcinventory.exe, PE32 40->80 dropped 82 C:\Program Files (x86)\...\wsClientSocket.dll, PE32 40->82 dropped 86 69 other files (none is malicious) 40->86 dropped 128 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->128 61 conhost.exe 40->61         started        63 systeminfo.exe 44->63         started        66 conhost.exe 44->66         started        68 conhost.exe 46->68         started        130 WScript reads language and country specific registry keys (likely country aware script) 48->130 70 msiexec.exe 48->70         started        72 conhost.exe 52->72         started        108 cayif.hellokism.click 91.213.189.199, 443, 49733 VMISS-CA-VMISSIncCA Hong Kong SAR China 54->108 110 127.0.0.1 unknown unknown 54->110 84 C:\Users\Public\Documents\...\tmp704.zip, Zip 54->84 dropped 74 conhost.exe 57->74         started        file12 signatures13 process14 signatures15 140 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 63->140 142 Writes or reads registry keys via WMI 63->142 76 WmiPrvSE.exe 63->76         started        144 Potential context-aware VBS script found (checks for environment specific values) 70->144 process16
Gathering data
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.Runner
Threat name:
Script-WScript.Trojan.Heuristic
Status:
Malicious
First seen:
2026-06-14 03:35:45 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery persistence ransomware spyware trojan
Behaviour
Checks SCSI registry key(s)
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Badlisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments