MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781
SHA3-384 hash: b2741b8c8ce7469b14f95a392d76a2f49d0f33ef90532c5ff6753c321faae4477f20c3b96f946b6827f0f9c5eaf4d710
SHA1 hash: da6859d19b711fe074aeb6bbcf11942b20e1fc1c
MD5 hash: fe86634fd9d3f77afdee715acbf9993e
humanhash: coffee-orange-golf-uniform
File name:Bahrwa.vbs
Download: download sample
Signature DiscordRAT
Create hunting rule
File size:523'877 bytes
First seen:2025-01-30 08:46:46 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:uETlKhYOTpI/rRoQHdoUr4zi4Oge2NzPczF:bv/rGWCNzPczF
TLSH T1F7B402BEAB4D1F4933BE345370DAA43114FB8891C06846EF8599ACB49CFCB6D07E4496
Magika vba
Reporter JAMESWT_WT
Tags:156-253-250-62 DiscordRAT StrelaStealer vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b3d6339cd5095f12c115e
Tags:
dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint monero obfuscated powershell
Link:
https://www.filescan.io/uploads/679b3c8a26e855d1db530947/reports/445fe286-46b0-4fb6-bc60-892d94306a82/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Discord Token Stealer, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602852
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: UAC Bypass via ICMLuaUtil
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Discord Token Stealer
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602852 Sample: Bahrwa.vbs Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 115 224.185.13.0.in-addr.arpa 2->115 117 0x0.st 2->117 121 Malicious sample detected (through community Yara rule) 2->121 123 Yara detected Strela Stealer 2->123 125 Yara detected Discord Token Stealer 2->125 127 13 other signatures 2->127 12 wscript.exe 2 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        signatures3 process4 signatures5 149 VBScript performs obfuscated calls to suspicious functions 12->149 151 Wscript starts Powershell (via cmd or directly) 12->151 153 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->153 155 Suspicious execution chain found 12->155 19 cmd.exe 1 12->19         started        22 cmd.exe 15->22         started        24 conhost.exe 15->24         started        26 cmd.exe 17->26         started        28 conhost.exe 17->28         started        process6 signatures7 129 Suspicious powershell command line found 19->129 131 Wscript starts Powershell (via cmd or directly) 19->131 133 Uses cmd line tools excessively to alter registry or file data 19->133 135 Bypasses PowerShell execution policy 19->135 30 cmd.exe 2 19->30         started        33 conhost.exe 19->33         started        35 powershell.exe 22->35         started        37 powershell.exe 22->37         started        39 conhost.exe 22->39         started        41 reg.exe 22->41         started        43 powershell.exe 26->43         started        45 conhost.exe 26->45         started        47 2 other processes 26->47 process8 signatures9 157 Suspicious powershell command line found 30->157 159 Wscript starts Powershell (via cmd or directly) 30->159 161 Uses cmd line tools excessively to alter registry or file data 30->161 49 powershell.exe 14 36 30->49         started        54 powershell.exe 30->54         started        56 conhost.exe 30->56         started        58 reg.exe 30->58         started        163 Tries to harvest and steal browser information (history, passwords, etc) 35->163 60 csc.exe 37->60         started        62 cmstp.exe 37->62         started        64 csc.exe 43->64         started        66 cmstp.exe 43->66         started        process10 dnsIp11 111 0x0.st 168.119.145.117, 443, 49700, 49856 HETZNER-ASDE Germany 49->111 103 C:\Users\user\AppData\...\pnimaksp.cmdline, Unicode 49->103 dropped 137 Found many strings related to Crypto-Wallets (likely being stolen) 49->137 139 Loading BitLocker PowerShell Module 49->139 68 dllhost.exe 6 5 49->68         started        71 csc.exe 3 49->71         started        74 cmstp.exe 8 7 49->74         started        113 156.253.250.62, 49800, 49975, 49977 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 54->113 141 Tries to steal Mail credentials (via file / registry access) 54->141 143 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->143 145 Found suspicious powershell code related to unpacking or dynamic code loading 54->145 105 C:\Users\user\AppData\Local\...\hgeycijb.dll, PE32 60->105 dropped 76 cvtres.exe 60->76         started        107 C:\Users\user\AppData\Local\...\ms4rrgym.dll, PE32 64->107 dropped 78 cvtres.exe 64->78         started        file12 signatures13 process14 file15 147 Suspicious powershell command line found 68->147 80 powershell.exe 27 68->80         started        83 taskkill.exe 68->83         started        85 powershell.exe 68->85         started        89 3 other processes 68->89 109 C:\Users\user\AppData\Local\...\pnimaksp.dll, PE32 71->109 dropped 87 cvtres.exe 1 71->87         started        signatures16 process17 signatures18 119 Loading BitLocker PowerShell Module 80->119 91 conhost.exe 80->91         started        93 conhost.exe 83->93         started        95 conhost.exe 85->95         started        97 conhost.exe 89->97         started        99 conhost.exe 89->99         started        101 conhost.exe 89->101         started        process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63f5tl7uwyodfdvkrukacxfo5pxzbc5nvjp2uu4pjtanw2pqe6aq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence
Link:
https://tria.ge/reports/250130-kpvvmswnft/
Behaviour
Kills process with taskkill
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Unexpected DNS network traffic destination
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiscordRAT

Visual Basic Script (vbs) vbs f6cbd9aff4b61c328eaa8d14015caeebef908badaa5faa538f4cc0db69f02781

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3420663/
  
Delivery method
Distributed via web download

Comments