SUSP_VBS_Copying_Files_To_Folder_Apr23

Rule Info

Name
SUSP_VBS_Copying_Files_To_Folder_Apr23
Author
X__Junior
Description
Detects a unique pattern of VBS files that extracts payloads from a ZIP file. Often seen used by malicious and threat actors
Score
75
Reference
https://twitter.com/StopMalvertisin/status/1650923519579127808
Date
2023-04-24
Minimum Yara
1.7
Rule Hash
cdae4ae3d31f06983fe04dde6eb313f7
Tags
['SUSP', 'SCRIPT']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_vbs_copying_files_to_folder_apr23/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
2
Suspicious (< 10 engines)
1
Clean (0 engines)
64

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-03-08 08:06:24
0
59
986ec0812599a7289afcf1c80490388ee551ad1f0d2e6540b0b525a2e4482104
2024-03-02 10:03:23
0
60
078ac3a26a8102acb40d245aef2049b21f0976962f843447dc53c77d12426839
2024-03-01 09:00:48
0
60
45ff5f06ae8bf14c4d1edbb75cbbd6c0c1d98bcd17983c75bf9cbccabaaaea6c
2024-01-26 06:32:44
0
60
c68149518a9fe5fc62bf66ba6203fa4b3a7ca808c08b33654362a1c4d381c82d
2024-01-12 20:15:26
0
58
3d51bea12dc40d203be3155a890193bf82654cd1a1c50c4519cec39d69025d61
2023-12-28 09:07:39
0
60
2991c00b68f0f629a44150032f1f79d931819fbb1575dfdd0571e3c9a1a56152
2023-12-22 21:00:04
0
60
623d197de850814504fa1dc5f65ec02a28b57ef0915918ef2fc83a3dae56ce08
2023-11-10 08:08:42
0
60
716c14a27c97c0974c849d5c1026acd7e4390a7adea8591068226f1eb0ab1f04
2023-10-24 08:05:42
4
60
5f2e10a3d7bfd266426cd790c9860ed34d6069abd11bba7b87b724e0893bac9f
2023-10-10 08:02:24
0
60
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012
2023-10-10 06:47:14
0
60
5fd04f82ceb216c212752ff165854514055384cc801904b831ca0a990677cc64
2023-10-10 03:21:15
0
60
b7b98df9cb8d69405eee5ef3a0692571320a4f0b7fcc7a7601c318dd2c5c2af1
2023-10-10 03:17:03
0
60
1eed3b5fb6950cfa605fd9e9842327b1fe1d123cb8a34d84bc1b778501288e4f
2023-10-10 02:42:52
0
59
52090410996ecc1e649fcc816b0cb820db9e30354c4db2552ee55eec06c8586d
2023-10-10 02:42:52
0
59
8ae01584716ec9f4925510c9d1822e328253a502e52da8527ce724227287f707
2023-10-10 02:41:17
0
59
fc963f21fc2a0400a0dcde9737b75adc1c5c8f496b143c0fc8320d370f6e869d
2023-10-10 02:41:17
0
59
23f5e63da3b25573646ae0079f463e06267a34bb919fceb9259e5053f5aeb60f
2023-10-10 02:41:17
0
59
7b40b0ec243b5c0c9c532c65c274d5ce0c483e6ffdae02f1fe08a2d4a07f3554
2023-10-10 02:40:40
0
60
ab24046ffb6d353ff4ef1cd8a58961a5879ac7bd8fef07a6642e02f2ed97da44
2023-10-10 02:40:35
0
59
dcb89f09961b3e643fa334baa5cf5748cb0b8e5d7c6b9472a8d231f9f727ac51
2023-10-10 02:40:35
0
59
84e2b7b40fb0359dfafa097f220a8fc902d1835dd0f77833103b9caa03753ded
2023-10-10 02:40:28
0
60
f0e28626cd6b1b77c62bfccd556f2f71ba2a475825d94db1a994e2145ed03e6b
2023-10-10 02:39:02
0
60
bd1d77237f8f8077f6e1a21bff776dae25fa689f3094bf9daf36af02fbe37580
2023-09-29 18:15:06
0
60
6b521ad07453a6c79a87e855c44861209f9ae687bb99f480e19d28b03dcfd9ac
2023-09-17 16:44:15
0
59
5cc1bd4e22771720a657c0fdd96efe903b985aad1128ba9f170862c4cec23e72
2023-09-11 16:55:59
0
59
2c947c5fa53b345ca15b40a7d6115d6548f2107adb8214a70b67cfa0a05e9c54
2023-08-29 01:20:42
0
57
5dfaf7735bf0929abe796787cc2babbd55a0fdd4f28616665deeb6906f0aff6c
2023-08-28 11:04:41
0
55
c9c5509b8f10180e4380df459ca900ddc507f9f74e9cb58ed0207cd2c3eefffa
2023-08-15 22:41:46
0
58
3655d5232facce0606fbece6c443bc854e8f89300fce9ab0d0c54c73b93c3f25
2023-08-14 21:23:02
0
58
d3d72cb416f50c7bbf225482e021c3512e34a757e515bb104d5fa3410c6fb4a7
2023-08-13 13:25:22
0
59
c966a291f4e89a8620381e398701285b81091f24b7a640ab01c45e7167708a4b
2023-07-28 05:12:58
0
58
d1171e0ac4081f9008a40ccdb040321866c31d59d384e18308f6683a17a65d30
2023-07-18 23:10:15
0
59
f25f1b403109ba37d9a445a6637edaec6bc8fcdd0ea6a1d58306b12666c63cee
2023-07-13 11:22:44
0
59
80f96c08a86da1e4f2faa7cc3c95673a1bdc2210af33f7758b29acb72bed24cc
2023-07-12 23:01:28
0
58
19b038fc23c0c1c5a31b61f3667422147b693af1ada12a34c60bb080dc39261a
2023-06-13 10:11:02
0
59
23046cdb1327c575edd82c4a79f020c361aaf365c5a3a43efc522541c7b02762
2023-06-13 10:07:39
0
59
19f52299b1743c4445c9c308014e66d97d3a6023033d1eb65478803beda31b64
2023-06-09 20:25:53
0
59
8fd6548551aeabc28422e38f4a3a931187260727353992fea1952ab3a2c45322
2023-06-09 16:04:16
0
59
bc88efd251ec98fe87d58d7308e22760c101c8ea5b04580e9ed0a7a383921d36
2023-06-09 13:33:43
0
59
681fcf1c0349b481c2b4c19f19bd471ea18fd9ec33e59da036d64857ae7429f8
2023-06-09 10:28:58
0
59
e023cc5357c5e2cca98445d5e6f3aa5014892e90e9beeef5e6f5ed18a22a65a5
2023-06-09 04:29:43
0
59
4e83ad9412f2fbc9c74e9c6f0fa7491e02b590fcfbc4300375e76b38dafacd42
2023-06-07 07:06:21
25
59
f470e6119512b7926cc0d8743acbf60247632119eb6c1bb7bb3c87191b77863b
2023-06-07 07:05:53
25
59
9751727f16013ec8280bf9127f3ae9551bf0f52de6c3d8cc64550a2d459926a5
2023-06-07 07:03:39
0
59
c72939b56935c4f1e0ce19e5acfe153bbfd0bbaa453012fdd0471515c96c2c7e
2023-05-30 10:10:12
0
59
385dbeca5df26ea3a0a0bb5997c02d38226eaba5270333527609fe8e7ee9d6e2
2023-05-30 10:07:24
0
59
ed5e0bd954ed466d200f2f4e70875b0f1178168234a9413925834fe1a87eda07
2023-05-30 10:07:24
0
59
288a80ed51aaf0d751048e98332d7197abd6f1a511ec7417f2df56d9c811c13a
2023-05-30 10:06:59
0
58
d94a86c3e887a10feb105d85165d162ba428910516df1a59ca6755ad1050b355
2023-05-30 09:18:54
0
39
d478c3a1c6a3a1870d52a5176619ad12d80c56d19de2ace468e4e8e1edf6d6f2
2023-05-30 09:18:54
0
39
8f5ae02c116dd9db2c75d654cb33af3a44a19eeb990b40442a030e13880910e6
2023-05-30 09:18:47
0
59
c5531936b27ad298641f0bcce0d7f17e61d91220011bc4027e2a05a5e19cd65b
2023-05-30 09:18:28
0
59
027197fa1f3808aa4f191415f5fc04d1a12a3256108f5d48061c1c48ab63f620
2023-05-30 09:18:18
0
59
ef2592c1f4399f2da4ebe8bd82a57c098289aa3eaf02f001e7cc67251b0de329
2023-05-30 09:17:18
0
59
2f3e5912590ad8861239647a574dcffef4f288aed5644cb8344795686a888d74
2023-05-30 09:13:42
0
59
a1e0ea2f15bb94e9d1d338ed38f731b444a2b465b66b6af19d1c6d95ef45c15a
2023-05-30 09:12:24
0
59
d82972cc8b5abd22cbe75fd2e61396843bc70578371c5963b9c9c53200c60a1c
2023-05-30 09:12:04
0
58
29c4f8d8bcc1c1b5149306a2315918220866c07cfdebc1b6f57b5b8049f39a08
2023-05-30 09:02:53
0
52
73ddb7c65be8818f00ae602f78805b517832f5af82ebe5313b8c88786a459875
2023-05-30 09:02:35
0
59
530124fb31ff62ec35fea82f3e608034d93f9dbd52e87680a324fe10d3d43fe7
2023-05-30 09:00:50
0
54
1ffb84b048da0dd9f0444531f8edfa3cbb1240e96cb7c980f905a13f869446a8
2023-05-30 09:00:40
0
59
1b2b1e0ec2ac9f51bf81b8854d58804299d64cfc9ad82773dab423517e2ef61d
2023-05-26 20:04:15
0
59
e8fc6a098938f809511fd4f8ec8e18868c3e43e85f09bcb2ee5d0236b3ab4848
2023-05-26 08:01:04
0
59
0fab8d65eceac6b046c2fda8c0a8b97ff0a128cc178fb5d5ee14ac1b10e4c195
2023-05-22 11:14:32
0
59
eb92caeceb9fc07c9a9467c0aa197be427a66955669ca75de88820ddc690f136
2023-05-06 13:11:34
0
58
6f9ad61d760c00dce88569b6edcc27cbc65a001d101ce592327c08ba8d4c33b6
2023-05-05 16:15:08
0
58
b20904d76d9acca2b6a8c96dec7034e4b9c3439ace68e8b551ecd689541a7c0c

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022