MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb
SHA3-384 hash:	8c516b85b3fbe602ee7df007e3a838b96be8997bf7f7280d62e826416b471d1ee6b7dd84f77ce392b5acab690a95af21
SHA1 hash:	460b8239857179776839435b2002a83d80194b53
MD5 hash:	034bbd1c906af69a928f0dac4c1344f7
humanhash:	bravo-wolfram-island-william
File name:	Yeah3.vbs
Download:	download sample
Signature	Havoc Alert Create hunting rule
File size:	17'168 bytes
First seen:	2025-07-27 23:11:48 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	192:7VScQhHepJQSEl+U/pPRDfsMtCDRMKmOOe3mhf3XJ3ZP3pBWhk7h1hZhWd+Gsp:7VSc8+m+UBPRD0MthKm40jJ
Threatray	6 similar samples on MalwareBazaar
TLSH	T19E72E298AFA841970FEF5368196312A32F144063C1153F9AA85FE15826EF4FCA6DDCCC
Magika	vba
Reporter	smica83
Tags:	Havoc vbs

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

35

Origin country :

HU

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/17242/

CyberFortress Malicious

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6886b3100b4775fb213260cc

Tags:

obfuscate shell sage

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

dropper evasive obfuscated powershell

Link:

https://www.filescan.io/uploads/6886b270a16348d835f06ad0/reports/56b52d46-bca9-41aa-8d96-5ce3a0c55433/overview

Hybrid Analysis Unknown

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb

Joe Sandbox Havoc

Result

Threat name:

Havoc

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1745264

Signature

.NET source code contains very large strings

Bypasses PowerShell execution policy

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Havoc

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

1%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb

Malva.RE Malware

Verdict:

Malware

YARA:

1 match(es)

Tags:

DeObfuscated Obfuscated Scripting.Dictionary T1059.005 VBScript

Link:

https://app.malva.re/file/034bbd1c906af69a928f0dac4c1344f7

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb/

Neiki Trojan-Downloader.Win64.Havoc

Verdict:

Malicious

Threat:

Trojan-Downloader.Win64.Havoc

Link:

https://tip.neiki.dev/file/f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Suspicious

First seen:

2025-07-27 22:42:44 UTC

File Type:

Text

AV detection:

6 of 24 (25.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gy6m3paiupgvh2tv7ps367ynpq3zhksbjt2iph44stnj6afvhfq._file

Threatray havoc

Verdict:

malicious

Label(s):

havoc

Alert

Create hunting rule

Similar samples:

0fcfd0d96f6a07a100e1889a9155a16250995c623a04d20a38b5448e1352d1ad

Havoc

1c90bf627974304daff3ecc3431ab612e295a2775b445e35d885acac4c9185a7

Havoc

error

Havoc

Hatching Triage havoc

Result

Malware family:

havoc

Alert

Create hunting rule

Score:

  10/10

Tags:

family:havoc backdoor execution

Link:

https://tria.ge/reports/250727-26xh8ss1fs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detects Havoc payload

Havoc family

Havoc, HavocC2

Malware Config

Dropper Extraction:

https://carbuckxiv.s3.eu-west-3.amazonaws.com/Carbon3.dll

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f1b1e66de0451e6a9f53afdf2dfbf86be1bc9d520a67a43cfce4a6d4f805a9cb

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/17242/