MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1
SHA3-384 hash: 126f1ef16e6d2fecad7bbe57a69d7f946e2f2a7ffa8d9fa349a331cd902214fe4306e4ad7ee0a72605aabcb022a6e15c
SHA1 hash: 3eb25ee8ba968175ca16e1845b257b7e793297d5
MD5 hash: 638c8b218ac30b6708cbb115dd410f20
humanhash: helium-charlie-lion-colorado
File name:dkglbdyuovtoim.ps1
Download: download sample
File size:11'351'347 bytes
First seen:2025-01-29 03:30:20 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:M4PfYzX4fXQxSvvTt6Q6VJG26GYik/QLcbcUbhaZzZG4WQc3:V
Threatray 12 similar samples on MalwareBazaar
TLSH T1AAB6424113B18BAEF7E80794C4F24C5C2CFA655974712685DB82B57F6C0FED280BAA27
Magika powershell
Reporter 1ZRR4H
Tags:coyote pinkeosemrabo-com ps1 semrabo-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
CL CL
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6799a27339cd5095f12afc3a
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive obfuscated
Link:
https://www.filescan.io/uploads/6799a0f9da4bf222b72dd99c/reports/b2a5a8e0-8ba5-47d8-b8e5-0102722b12dd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1601971
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7kufpsbe45socpndofu5n5fbuueuifpxvveucspkd2ifiyegxiq._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
09e79ec83fba30ac5b424cd6c0fbee4f61d62a7438b1e1cf4461f34327cd65ae
0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1
602491397c1c6162284c5a87e34bd40383d18a41d5238a66126e192ee3b1932d
64b51ed78bf05c711ab4a5e15617cf9a9297009708d2c1a1fb960beae67ed3e6
83c73a2e1d118c2b7b8c634d705e99e583f54d13f22123a03b235c4a8a9c2dd2
9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b
error
f75c52684ec2fe9479f4ceb28c3cec36885e304003f02308b5be11cdd08187f3
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250129-d23bxsspbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments