Sample Icon

vega.exe,pattern.exe

CLASSIFICATION

Malicious

0

Antivirus detections

1

IDS alerts

14

Processes

3

Contacted hosts

3

DNS Requests
Indicator Context

Blacklist timeline

Malicious
116 days since the last reported activity  
No activityreported afterJul 16, 2025Jan 2022Jan 2023Jan 2024Jan 2025Hybrid-AnalysisAbuse.chGeneric MalwareZeppelin

Sample information

Hashes
Filename:
vega.exe,pattern.exe
md5:
dcef208fcdac3345c6899a478d16980f
sha1:
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
sha256:
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
In depth details
Filetype:
application/x-dosexec
Size (Bytes):
425984
Classification:
malicious
Dates
Indexed:
2021-08-31 17:15:06
Last modified:
2025-07-16 09:30:06
Tags
malicious
Explore our API specification anytime here:
API Specification

Request:

          
curl -H "Authorization: Bearer <API_KEY>" https://api.maltiverse.com/sample/824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Response:

      
{
    "blacklist": [
        {
            "count": 1,
            "description": "Zeppelin",
            "first_seen": "2021-08-31 16:32:29",
            "labels": [
                "malicious-activity"
            ],
            "last_seen": "2021-08-31 16:32:29",
            "source": "Abuse.ch"
        },
        {
            "count": 3,
            "description": "Generic Malware",
            "first_seen": "2025-07-16 09:15:04",
            "last_seen": "2025-07-16 09:30:05",
            "ref": [
                21745
            ],
            "source": "Hybrid-Analysis"
        }
    ],
    "classification": "malicious",
    "contacted_host": [
        "172.67.207.3",
        "158.69.65.151",
        "172.67.74.161"
    ],
    "creation_time": "2021-08-31 17:15:06",
    "dns_request": [
        "geoiptool.com",
        "iplogger.org",
        "www.geodatatool.com"
    ],
    "filename": [
        "vega.exe",
        "pattern.exe"
    ],
    "filetype": "application/x-dosexec",
    "is_alive": false,
    "is_cdn": false,
    "is_cnc": false,
    "is_distributing_malware": false,
    "is_hosting": false,
    "is_iot_threat": false,
    "is_known_attacker": false,
    "is_known_scanner": false,
    "is_mining_pool": false,
    "is_open_proxy": false,
    "is_phishing": false,
    "is_sinkhole": false,
    "is_storing_phishing": false,
    "is_tor_node": false,
    "is_vpn_node": false,
    "md5": "dcef208fcdac3345c6899a478d16980f",
    "modification_time": "2025-07-16 09:30:06",
    "network_suricata_alert": [
        {
            "category": "Potential Corporate Privacy Violation",
            "description": "ET INFO IP Check Domain (iplogger .org in TLS SNI)",
            "event": "172.67.74.161:443 (TCP)",
            "sid": "2035949"
        }
    ],
    "process_list": [
        {
            "name": "vega.exe",
            "normalizedpath": "C:\\vega.exe",
            "sha256": "824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc",
            "uid": "00000000-00008008"
        },
        {
            "commandline": "-start",
            "name": "svchost.exe",
            "normalizedpath": "%APPDATA%\\Microsoft\\Windows\\svchost.exe",
            "sha256": "824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc",
            "uid": "00000000-00007672"
        },
        {
            "commandline": "/C wmic shadowcopy delete",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00000660"
        },
        {
            "commandline": "wmic  shadowcopy delete",
            "name": "WMIC.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\Wbem\\WMIC.exe",
            "sha256": "eff503b992a6e6ecae93b2b3bc6fa6b0cda0b5ee4ad99c8eb160b586271a57f8",
            "uid": "00000000-00002592"
        },
        {
            "commandline": "/C bcdedit /set {default} recoveryenabled no",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00001136"
        },
        {
            "commandline": "/C bcdedit /set {default} bootstatuspolicy ignoreallfailures",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00006260"
        },
        {
            "commandline": "/C wbadmin delete catalog -quiet",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00006104"
        },
        {
            "commandline": "/C vssadmin delete shadows /all /quiet",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00005952"
        },
        {
            "commandline": "vssadmin  delete shadows /all /quiet",
            "name": "vssadmin.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\vssadmin.exe",
            "sha256": "9d3cee88e010136e3bf9a1e519549cf5ca270284a1fc0830a0e9bed2bfd6e76a",
            "uid": "00000000-00000420"
        },
        {
            "commandline": "/C %TEMP%\\~temp001.bat",
            "name": "cmd.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\cmd.exe",
            "sha256": "4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051",
            "uid": "00000000-00003140"
        },
        {
            "commandline": "wmic  shadowcopy delete",
            "name": "WMIC.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\Wbem\\WMIC.exe",
            "sha256": "eff503b992a6e6ecae93b2b3bc6fa6b0cda0b5ee4ad99c8eb160b586271a57f8",
            "uid": "00000000-00001848"
        },
        {
            "commandline": "vssadmin  delete shadows /all /quiet",
            "name": "vssadmin.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\vssadmin.exe",
            "sha256": "9d3cee88e010136e3bf9a1e519549cf5ca270284a1fc0830a0e9bed2bfd6e76a",
            "uid": "00000000-00002304"
        },
        {
            "commandline": "-agent 0",
            "name": "svchost.exe",
            "normalizedpath": "%APPDATA%\\Microsoft\\Windows\\svchost.exe",
            "sha256": "824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc",
            "uid": "00000000-00003368"
        },
        {
            "name": "notepad.exe",
            "normalizedpath": "%WINDIR%\\SysWOW64\\notepad.exe",
            "sha256": "f60e23e0d5cbd44794977c641d07228f8c7a9255f469a1fe9b2ae4c4cc009edc",
            "uid": "00000000-00007736"
        }
    ],
    "score": 10,
    "sha1": "fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0",
    "sha256": "824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc",
    "size": 425984,
    "tag": [
        "malicious"
    ],
    "type": "sample"
}
IDS Alerts

IDS alerts triggered during the execution of this sample.

SID Category Description Event
2035949Potential Corporate Privacy Violation ET INFO IP Check Domain (iplogger .org in TLS SNI) 172.67.74.161:443 (TCP)
Items per page:
1 – 1 of 1
Network contacts

IP addresses and Hostnames contacted by this sample during execution.

DNS Requests
geoiptool.com
iplogger.org
www.geodatatool.com
Contacted Hosts
172.67.207.3
158.69.65.151
172.67.74.161
Process list

List of processes spawned by this sample during execution.

Process
uid
00000000-00008008
name
vega.exe
normalizedpath
C:\vega.exe
sha256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
uid
00000000-00007672
commandline
-start
name
svchost.exe
normalizedpath
%APPDATA%\Microsoft\Windows\svchost.exe
sha256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
uid
00000000-00000660
commandline
/C wmic shadowcopy delete
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
uid
00000000-00002592
commandline
wmic shadowcopy delete
name
WMIC.exe
normalizedpath
%WINDIR%\SysWOW64\Wbem\WMIC.exe
sha256
eff503b992a6e6ecae93b2b3bc6fa6b0cda0b5ee4ad99c8eb160b586271a57f8
uid
00000000-00001136
commandline
/C bcdedit /set {default} recoveryenabled no
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
uid
00000000-00006260
commandline
/C bcdedit /set {default} bootstatuspolicy ignoreallfailures
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
uid
00000000-00006104
commandline
/C wbadmin delete catalog -quiet
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
uid
00000000-00005952
commandline
/C vssadmin delete shadows /all /quiet
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
uid
00000000-00000420
commandline
vssadmin delete shadows /all /quiet
name
vssadmin.exe
normalizedpath
%WINDIR%\SysWOW64\vssadmin.exe
sha256
9d3cee88e010136e3bf9a1e519549cf5ca270284a1fc0830a0e9bed2bfd6e76a
uid
00000000-00003140
commandline
/C %TEMP%\~temp001.bat
name
cmd.exe
normalizedpath
%WINDIR%\SysWOW64\cmd.exe
sha256
4c3ea4c44aab74350355c419826b8c9e6172c3bd8f0bb5817ecf7be50b629051
Items per page:
1 – 10 of 14