MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9
SHA3-384 hash:	b97a2f49dc30422914025b54d63b6cb12e0d1a467bcde154eb6b2082e3af2a3a653b2c57c3de4abb0ea2684e051a35c3
SHA1 hash:	ff88268e3c48cedad7590af211b9f9e875b1f45c
MD5 hash:	ad88c51e409c563ca0886c9913250978
humanhash:	bakerloo-batman-uniform-august
File name:	1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9.ps1
Download:	download sample
File size:	7'790 bytes
First seen:	2025-12-23 10:33:13 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	192:X40np3Ih8ySzJWt6PFCHMzG3gyLiiKGw0DJGMLtg98:24JYsCHQWq8
TLSH	T1B0F1EA29DA50929E4363327D08996C09B2DE812FC3612E54F51CB4F0AF8516DCFB4BF6
Magika	powershell
Reporter	JAMESWT_WT
Tags:	cf-prod-cap--cfd ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.PUA.Powershell.Downloader-5.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694a6fefa6c88bb4cc23f492

Tags:

obfuscate phishing corrupt xtreme

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 cmd findstr fingerprint fltmc lolbin obfuscated obfuscated powershell reg wmic

Link:

https://www.filescan.io/uploads/694a6feee126b9ff438e1c87/reports/87b93546-260a-45c8-a9a0-2744fa1c1382/overview

Verdict:

Suspicious

Labled as:

RiskWare/PowerShell.Agent

Link:

https://www.hybrid-analysis.com/sample/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9

Verdict:

Malicious

File Type:

ps1

First seen:

2025-12-22T21:13:00Z UTC

Last seen:

2025-12-23T12:48:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win32.PsDownload.sb HackTool.KMSAuto.UDP.C&C

Link:

https://opentip.kaspersky.com/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9/results?tab=lookup

Score:

20%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9

Verdict:

Malware

YARA:

2 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated PowerShell Powershell: Hidden Execution

Link:

https://app.malva.re/file/ad88c51e409c563ca0886c9913250978

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9/

Verdict:

Malicious

Threat:

HackTool.Win32.UDP

Link:

https://tip.neiki.dev/file/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9

Threat name:

Win32.Trojan.Sonbokli

Status:

Malicious

First seen:

2025-12-21 22:05:27 UTC

File Type:

Text (PowerShell)

AV detection:

1 of 36 (2.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dlr265ixyzqyfm6kmtqclrfzw5fn3aykpix4a3cbsfgg34lvqh4q._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution

Link:

https://tria.ge/reports/251223-nn6sasvraw/

Behaviour

Modifies registry key

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Network Configuration Discovery: Internet Connection Discovery

Launches sc.exe

Legitimate hosting services abused for malware hosting/C2

Badlisted process makes network request

Malware Config

Dropper Extraction:

https://pb6.pw/static/cam.ps1
https://pb6.pw/static/poke
https://massgrave.dev/troubleshoot

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ae3af7517c66182b3ca64e025c4b9b74add830a7a2fc06c41914c6df17581f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample