MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d
SHA3-384 hash: 879616583241bdee97f2f5de946386fbb5f9a570d5c9b1bf665f9d59c80d379c0e2a42bfaefbf7114500b4a1a29c60fe
SHA1 hash: 840c8b09c05a3d1c19c09a2b3365fa8dc11686d6
MD5 hash: 455038e2e72dcdd31d3bbd4d89f94d44
humanhash: neptune-gee-florida-sad
File name:gets.ps1
Download: download sample
File size:8'358 bytes
First seen:2025-04-17 06:16:11 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:p25pjtaPiF5pjtvUOVk1Gyp/SD2zKDUtXDZABygKlkO7BGTG:Q5pxf5pxlKIq
TLSH T13102B51AE6040227CFB263E91D45DC09F28F404B82635F5974BCB0847FB22BD46E79AE
Magika powershell
Reporter abuse_ch
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68009e77280f5f89a0d030ba
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript evasive findstr fltmc lolbin persistence powershell reg wmic
Link:
https://www.filescan.io/uploads/68009cb890767142c3d883b8/reports/6e068d51-b98a-4b51-a3fd-afd109b19eb9/overview
Verdict:
Suspicious
Labled as:
PowerShell/HackTool.Agent
Link:
https://www.hybrid-analysis.com/sample/009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667185
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Command shell drops VBS files
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667185 Sample: gets.ps1 Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 150 conecwinlab.com 2->150 152 winpopcach.com 2->152 154 3 other IPs or domains 2->154 188 Malicious sample detected (through community Yara rule) 2->188 190 Antivirus detection for URL or domain 2->190 192 Multi AV Scanner detection for dropped file 2->192 194 11 other signatures 2->194 15 powershell.exe 57 2->15         started        20 cmd.exe 2 2->20         started        22 svchost.exe 2->22         started        signatures3 process4 dnsIp5 166 modulowinapp.com 185.255.122.89, 443, 49683, 49710 ICMESE Netherlands 15->166 168 raw.githubusercontent.com 185.199.110.133, 443, 49689 FASTLYUS Netherlands 15->168 124 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32 15->124 dropped 126 C:\Users\user\...126avegadorExclusivo.exe, PE32 15->126 dropped 128 MAS_b5724c2f-0212-...30-c93d01c9b7a8.cmd, ASCII 15->128 dropped 130 C:\Users\user\AppData\...\StartAppWin2.bat, DOS 15->130 dropped 176 Suspicious powershell command line found 15->176 178 Drops script or batch files to the startup folder 15->178 180 Loading BitLocker PowerShell Module 15->180 182 Powershell drops PE file 15->182 24 cmd.exe 2 15->24         started        28 NavegadorExclusivo.exe 15->28         started        30 cmd.exe 15->30         started        36 4 other processes 15->36 184 Command shell drops VBS files 20->184 186 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 20->186 32 cscript.exe 2 20->32         started        34 conhost.exe 20->34         started        170 127.0.0.1 unknown unknown 22->170 file6 signatures7 process8 dnsIp9 142 71a008aa-232c-4560-81f8-dceb3dbc58a8.vbs, ASCII 24->142 dropped 208 Command shell drops VBS files 24->208 210 Bypasses PowerShell execution policy 24->210 39 cscript.exe 2 24->39         started        41 conhost.exe 24->41         started        212 Query firmware table information (likely to detect VMs) 28->212 214 Hides threads from debuggers 28->214 216 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->216 218 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->218 43 chrome.exe 28->43         started        46 cmd.exe 30->46         started        49 conhost.exe 30->49         started        51 cmd.exe 32->51         started        156 winpopcach.com 185.255.122.94, 443, 49681, 49682 ICMESE Netherlands 36->156 144 C:\Users\user\AppData\Roaming\StartApp2.ps1, ASCII 36->144 dropped file10 signatures11 process12 dnsIp13 53 cmd.exe 1 39->53         started        162 192.168.2.14 unknown unknown 43->162 164 192.168.2.7, 138, 443, 49457 unknown unknown 43->164 55 chrome.exe 43->55         started        230 Suspicious powershell command line found 46->230 232 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 46->232 58 powershell.exe 46->58         started        60 cmd.exe 46->60         started        62 cmd.exe 46->62         started        69 15 other processes 46->69 64 powershell.exe 51->64         started        67 conhost.exe 51->67         started        signatures14 process15 dnsIp16 71 powershell.exe 20 53->71         started        74 conhost.exe 53->74         started        158 www.google.com 142.251.15.99, 443, 49706, 49722 GOOGLEUS United States 55->158 160 winpopcach.com 55->160 76 cmd.exe 58->76         started        78 cmd.exe 60->78         started        80 cmd.exe 60->80         started        82 powershell.exe 62->82         started        172 Found suspicious powershell code related to unpacking or dynamic code loading 64->172 174 Powershell drops PE file 64->174 84 cmd.exe 64->84         started        signatures17 process18 file19 136 C:\Users\user\...\WindowsLoadStart2.bat, DOS 71->136 dropped 87 cmd.exe 71->87         started        91 sc.exe 76->91         started        93 find.exe 76->93         started        138 d7507e6c-b312-42fc-a9cc-12afffaae893.vbs, ASCII 84->138 dropped 196 Command shell drops VBS files 84->196 95 cscript.exe 84->95         started        97 conhost.exe 84->97         started        signatures20 process21 file22 140 d8a507e7-48ce-43c4-8aa9-ea6320bec854.vbs, ASCII 87->140 dropped 206 Command shell drops VBS files 87->206 99 cscript.exe 87->99         started        101 conhost.exe 87->101         started        103 cmd.exe 95->103         started        signatures23 process24 process25 105 cmd.exe 99->105         started        107 powershell.exe 103->107         started        111 conhost.exe 103->111         started        file26 113 powershell.exe 105->113         started        116 conhost.exe 105->116         started        146 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32 107->146 dropped 148 C:\Users\user\...148avegadorExclusivo.exe, PE32 107->148 dropped 228 Loading BitLocker PowerShell Module 107->228 118 NavegadorExclusivo.exe 107->118         started        signatures27 process28 file29 132 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32 113->132 dropped 134 C:\Users\user\...134avegadorExclusivo.exe, PE32 113->134 dropped 121 NavegadorExclusivo.exe 113->121         started        198 Query firmware table information (likely to detect VMs) 118->198 200 Tries to detect sandboxes and other dynamic analysis tools (window names) 118->200 202 Hides threads from debuggers 118->202 204 2 other signatures 118->204 signatures30 process31 signatures32 220 Query firmware table information (likely to detect VMs) 121->220 222 Hides threads from debuggers 121->222 224 Tries to detect sandboxes / dynamic malware analysis system (registry check) 121->224 226 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 121->226
Score:
14%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d/
Threat name:
Script-BAT.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 01:38:33 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acn5vrhdqnqb33whhcfk3rb4tttuwymnt6meet3eukwoh3fzn4gq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250417-g1mfvsyzey/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Malware Config
Dropper Extraction:
https://massgrave.dev/troubleshoot
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 009bdac4e383601deec7388aadc43c9ce74b618d9f98424f64a2ace3ecb96f0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3484463/
  
Delivery method
Distributed via web download

Comments