MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
SHA3-384 hash: 096d392bfaaf6e4e0b4dca04ddaae2c49bd17940abedc67ec7aba48e95916ef3a639322829615bba375f3547c469cf38
SHA1 hash: f31274a0c850764d076c2d8d5071c170045bada8
MD5 hash: db1f1c32fbc3424488ad78f9d03ba81e
humanhash: bravo-hawaii-nebraska-asparagus
File name:2nd_Quarter_OrderList_Full_Specification.js
Download: download sample
File size:283'142 bytes
First seen:2026-04-01 15:36:32 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:QjP+NGZvRSewPcNWXnVp1YZK4Rlukj2L61oCSQ2uw5o5d1R:QkIR4UNWV8rukj2lc1R
Threatray 72 similar samples on MalwareBazaar
TLSH T1FC54DF14E3F9411AF5B98F55D6FA4814C93A3EAA2B1E84EE48040D8E0E75E44D6F7B33
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:js

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cd3bb43a18a6e1ddf05f9b
Tags:
infosteal emotet rapid
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade repaired
Link:
https://www.filescan.io/uploads/69cd3baa2346b9da57b73594/reports/4752df54-a398-483e-bbdc-de318b764b36/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
Verdict:
Malicious
File Type:
js
First seen:
2026-03-31T09:51:00Z UTC
Last seen:
2026-04-03T11:57:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61/results?tab=lookup
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1892253
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Clipboard Hijacker
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892253 Sample: 2nd_Quarter_OrderList_Full_... Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 41 twc.trafficmanager.net 2->41 43 time.windows.com 2->43 45 2 other IPs or domains 2->45 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Capture Wi-Fi password 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 9 other signatures 2->63 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 69 JScript performs obfuscated calls to suspicious functions 10->69 71 Wscript starts Powershell (via cmd or directly) 10->71 73 Bypasses PowerShell execution policy 10->73 75 3 other signatures 10->75 13 powershell.exe 14 15 10->13         started        process6 dnsIp7 47 dubaitechnicalservice.ae 103.227.176.4, 443, 49686 A2HOSTINGUS Singapore 13->47 77 Early bird code injection technique detected 13->77 79 Hijacks the control flow in another process 13->79 81 Writes to foreign memory regions 13->81 83 2 other signatures 13->83 17 InstallUtil.exe 26 13->17         started        21 conhost.exe 13->21         started        signatures8 process9 dnsIp10 35 ip-api.com 208.95.112.1, 49688, 80 TUT-ASUS United States 17->35 37 twc.trafficmanager.net 168.61.215.74, 123, 54268 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->37 39 185.114.206.45, 4449, 49689 M247GB United Kingdom 17->39 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->49 51 Contains functionality to start a terminal service 17->51 53 Contains functionality to hide user accounts 17->53 55 9 other signatures 17->55 23 cmd.exe 2 17->23         started        signatures11 process12 file13 33 C:\Users\user\AppData\...\wifi_profiles.tmp, ASCII 23->33 dropped 65 Uses netsh to modify the Windows network and firewall settings 23->65 67 Tries to harvest and steal WLAN passwords 23->67 27 netsh.exe 2 23->27         started        29 conhost.exe 23->29         started        31 chcp.com 1 23->31         started        signatures14 process15
Score:
6%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-31 13:06:12 UTC
File Type:
Text (JavaScript)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxcjheeadlsl427bk2gksylkvhmtnc2o4xyatik5nhwhho2fh5qq._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
2501b2818fc37167382adc0954736bc52b8582979789a865e5e96a3fca832da1
3dc15bca73cf6ceea3b6bc1db0995b887f001e8ea43e1e0f5234f85b539cdef8
5afe509234bf8ce2a7506274d5bdba9140889fc14dac0db2cb4cad2a4343bcc7
78d46a8d00fa4b30f2982b0996625ad0593bc1490a66c589ff2ebf6b39bb0180
844591a27c1906e6b40e18b20d55d84f06f8cde7b48de4c0b5df7337854ab2cc
88c83809a130c5451a0fce79a59b74f3d44a729575b13cb5ed58b163b8f4f148
8e590e1b1db1016f3020b08a39ad2853c50b9247fe70ef73ce3b199522dc734d
b9368b7c946266b47ba1ef4096e9d1dc698321b5aff2f6fd3c07273b21b533de
bf38f128609b4df538dec38bbe62806e684bcee62ddb6f18fc46c002779cbd2f
error
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260401-s753bsdy7l/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Uses the VBS compiler for execution
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments