MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf
SHA3-384 hash:	2f75d60237dd253a27dc94613ae7044a3729d4ede09c1fa761cb3d4a5e6c3bed63ab5e4a7861da757abf7df8e0d71c34
SHA1 hash:	43c3e3159d467e8bbcb82002557c9dc9d25e9738
MD5 hash:	60cdf1336f0f193dca4c27b1ce39d329
humanhash:	arkansas-magnesium-speaker-violet
File name:	test22.ps1
Download:	download sample
File size:	4'011'048 bytes
First seen:	2025-09-18 12:00:42 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	49152:z7Gr+nUx0x4XY0beE/Fj91/PQlVFAHaxcTWckYcYM:h
Threatray	9 similar samples on MalwareBazaar
TLSH	T19C0633609E9BAFBD06A8633C71BB4F0C97E01F469049D9E763E0BDE6452EF41112F918
Magika	powershell
Reporter	abuse_ch
Tags:	ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cbf52d88b954439247bdd4

Tags:

virus agent spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive krypt lolbin obfuscated reconnaissance regasm stealer

Link:

https://www.filescan.io/uploads/68cbf5dd390649f7a5f2bf90/reports/d8aadc53-34b8-4420-b611-18784c3c8a09/overview

Verdict:

Suspicious

Labled as:

Trojan/PS.Obfuscated

Link:

https://www.hybrid-analysis.com/sample/1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf

Verdict:

Malicious

File Type:

ps1

First seen:

2025-09-18T03:23:00Z UTC

Last seen:

2025-09-18T03:23:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1779975

Signature

AI detected malicious Powershell script

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Suspicious execution chain found

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected MSILLoadEncryptedAssembly

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf

Verdict:

Malware

YARA:

1 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated PowerShell

Link:

https://app.malva.re/file/60cdf1336f0f193dca4c27b1ce39d329

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf/

Threat name:

Script-PowerShell.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-09-18 09:23:38 UTC

File Type:

Text (PowerShell)

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c5dnfu3hnvmawj7i2b4l4itcdf4qml2b4xpar436tn7hfgqyho7q._file

Verdict:

malicious

Label(s):

fantomcrypt

637ed97005e481b6d3c09cf74d8053a4367c245a440425f06c033093ecdedea9

a633a1e2cabbca8225ff625e50860380477853e43cca5942cb97f21aeca6e99b

a8c873cc72350c6ee8ec2d5ca11086b17245807a60a60ab1cd1ede6735890d60

b72bf5446c7020da5ef9e776b6109d592da1ea6361b8c44cf0d3ee42dc52f581

e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41

error

f46733f8e9282a7cb2850b1abbfad154b06960cd07db4fda1e17dd40663a6d3d

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250918-n96dnafn4t/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ps1 1746d2d3676d580b27e8d078be22621979062f41e5de08f37e9b7e729a183bbf

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3626001/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample