8301fc2c740f6309864e68b6e429d0f0
Hash
- MD5: 8301fc2c740f6309864e68b6e429d0f0
- SHA1: d80650dc75d54100bd9da8f1bb6fb33bd181c05b
- SHA256: 21aeb6f9e509c26d909f10182589f8f20372181fddcf3ae7a251e4981ed13d43
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "21aeb6f9e509c26d909f10182589f8f20372181fddcf3ae7a251e4981ed13d43",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/21aeb6f9e509c26d909f10182589f8f20372181fddcf3ae7a251e4981ed13d43"
},
"attributes": {
"total_votes": {
"harmless": 0,
"malicious": 2
},
"reputation": -53,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Script.ObfDldr.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260528",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260528",
"category": "malicious",
"result": "vba.trojan.kimsuky"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260527",
"category": "malicious",
"result": "Script.Trojan.A25636685"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260527",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59636",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59636",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1216",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260527",
"category": "malicious",
"result": "VBS/Kimsuky.BS trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "VBS:Obfuscated-gen [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260527",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260528",
"category": "malicious",
"result": "HEUR:Trojan.Script.Generic"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260527",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Kimsuky/VBS!8.13D95 (TOPIS:E0:KScMdfpnUCL)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.TR/VBS.Obfuscated"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260528",
"category": "malicious",
"result": "VBS.Starter.534"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5609",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260528",
"category": "malicious",
"result": "ti!21AEB6F9E509"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260527",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29 (B)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8019ebe:8019ebe:4ac772e:4ac772e",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44700AVA:64.31318",
"engine_update": "20260528",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779922840",
"engine_update": "20260528",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260527",
"category": "malicious",
"result": "TR/VBS.Obfuscated"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38681",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260527",
"category": "malicious",
"result": "GT:VB.Heur2.ObfDldr.34.7D42DB29"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107113",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan:Script/Wacatac.B!ml"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260527",
"category": "malicious",
"result": "ABTrojan.KADO-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan/VBS.RUNNER.SC314570"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-28.01",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260528",
"category": "malicious",
"result": "Script.Trojan.Generic.Dtgl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.VBS.Kimsuky"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "VBS:Obfuscated-gen [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:MSOffice/Heur2.Ohj!iyn"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260527-02",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
}
},
"type_tag": "vba",
"last_analysis_date": 1779930604,
"ssdeep": "6:Zxnjb7wAHAq63kbMvuuuuFo9CCfoOv2iaZ558/fO38rZQOey9aHZZUcGiOhuuJv+:jjb76iyu6oIdOuH3OeykfUfrq8Q7",
"vhash": "1530b57543b66cd9d4f94f3c8b446287",
"magic": "ASCII text, with CRLF, LF line terminators",
"md5": "8301fc2c740f6309864e68b6e429d0f0",
"sha1": "d80650dc75d54100bd9da8f1bb6fb33bd181c05b",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "System File Execution Location Anomaly",
"rule_description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n",
"rule_author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"CommandLine": "\\??\\C:\\Windows\\system32\\conhost.exe",
"Image": "\\??\\C:\\Windows\\system32\\conhost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\<USER>\\AppData\\Roaming\\wale.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\wscript.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Administrator\\AppData\\Roaming\\wale.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass"
}
},
{
"values": {
"EventID": "13",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
}
},
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"Details": "DWORD (0x00000001)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000000)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocation From Script Engines",
"rule_description": "Detects suspicious powershell invocations from interpreters or unusual programs",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\wscript.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\<USER>\\AppData\\Roaming\\wale.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Bruno\\Desktop\\whale.vbs\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\wscript.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass -File C:\\Users\\Administrator\\AppData\\Roaming\\wale.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
}
],
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 3,
"low": 1
}
},
"type_extension": "vbs",
"type_tags": [
"source",
"vba",
"vbs",
"Vbscript"
],
"meaningful_name": "whale.vbs",
"last_submission_date": 1774630559,
"sha256": "21aeb6f9e509c26d909f10182589f8f20372181fddcf3ae7a251e4981ed13d43",
"unique_sources": 1,
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 72
},
"C2AE": {
"category": "undetected",
"malware_classification": [
"UNKNOWN_VERDICT"
],
"sandbox_name": "C2AE"
}
},
"times_submitted": 1,
"size": 386,
"tags": [
"vba",
"macro-powershell",
"environ",
"create-ole",
"long-sleeps",
"powershell",
"enum-windows",
"run-file"
],
"magika": "VBA",
"filecondis": {
"raw_md5": "268300e5ce87c14bbca95ae7680cba0a",
"dhash": "f4e4b49a88828480"
},
"type_description": "VBA",
"vba_info": {
"strings": [
"le ",
"%USERPROFILE%",
"pt.She",
"ecutionPo",
"ll.ex",
"e -wi",
"ershe",
"owstyle hi",
"dden -Ex",
"ypass -Fi",
"licy B",
"cri",
"\\\\AppData\\\\Roaming\\\\wale.ps1"
]
},
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 14,
"value": "trojan"
}
],
"suggested_threat_label": "trojan.heur2/obfdldr",
"popular_threat_name": [
{
"count": 7,
"value": "heur2"
},
{
"count": 7,
"value": "obfdldr"
},
{
"count": 4,
"value": "kimsuky"
}
]
},
"tlsh": "T119E0DFB85160DA604DB1404AE0CC4C70F8258367CBB074AB1DE092A4128CE9D2F28D61",
"names": [
"whale.vbs"
],
"first_submission_date": 1774630559,
"last_analysis_stats": {
"malicious": 28,
"suspicious": 0,
"undetected": 33,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 14
},
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 3,
"low": 1
},
"last_modification_date": 1779937990,
"crowdsourced_ai_results": [
{
"category": "code_insight",
"source": "palm",
"verdict": "suspicious",
"analysis": "The provided script utilizes string concatenation to instantiate a shell object and obfuscate command-line arguments. It identifies a target file path pointing to a PowerShell script located within the user's Roaming AppData directory. The script then executes this PowerShell file using specific parameters to hide the command window and bypass the system's execution policy. The execution is synchronous, and the script terminates after the PowerShell process completes.",
"id": "21aeb6f9e509c26d909f10182589f8f20372181fddcf3ae7a251e4981ed13d43-file-palm"
}
]
}
}
}