MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321
SHA3-384 hash: 3a9e166f67006ff216cc3b73b2735e6f2e170ed555d48fef654e39c48a803ff9d47b729be23d949d9830f607693bc85a
SHA1 hash: d05cb73b1bafdff4059fb8cc516cbb08b9e33558
MD5 hash: 5f9bb1217a347d609708c53d45ac6b6d
humanhash: pennsylvania-low-fruit-alabama
File name:inv.bat
Download: download sample
File size:2'565 bytes
First seen:2025-05-20 11:46:54 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:j4k6oqqWoJHJm2Mu6pwKGS2shWE9KGnKGIH50h3wQohJBncK4rehiLK48UPwCK4Y:j4k6oqZoJpO4KFRKeKvZ6wQbKmLKfKL2
TLSH T1BE5162032A4992386EA602EF423E1EF4FA0A91D59381256D21FE649565033EDD1BF1EF
Magika batch
Reporter abuse_ch
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
inv.bat
Verdict:
Malicious activity
Analysis date:
2025-05-20 12:24:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee5b0305-6a4c-4ea0-93c7-db1a428fd6bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c6bcdc28c67d666424b42
Tags:
xtreme shell spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
attrib dropper evasive obfuscated persistence powershell
Link:
https://www.filescan.io/uploads/682c6bcdc609634bd7cb4fd3/reports/5c7eaae9-7203-41c1-a194-6641f96f9d62/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1694893
Signature
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694893 Sample: inv.bat Startdate: 20/05/2025 Architecture: WINDOWS Score: 56 16 involves-overnight-venezuela-visited.trycloudflare.com 2->16 18 Joe Sandbox ML detected suspicious sample 2->18 20 Sigma detected: Suspicious Invoke-WebRequest Execution 2->20 22 Sigma detected: Suspicious Script Execution From Temp Folder 2->22 7 cmd.exe 1 2 2->7         started        signatures3 process4 signatures5 24 Suspicious powershell command line found 7->24 10 powershell.exe 14 15 7->10         started        12 powershell.exe 15 7->12         started        14 conhost.exe 7->14         started        process6
Score:
16%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 11:47:21 UTC
File Type:
Text (Batch)
AV detection:
6 of 23 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abp2lb5mlh4n552x4alkoogmpmfm7ps2fxqp2qfbatranpao2mqq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250520-nxzqcacj9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat 005fa587ac59f8def757e016a738cc7b0acfbe5a2de0fd40a104e206bc0ed321

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3522235/
  
Delivery method
Distributed via web download

Comments