MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternalRocks


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee
SHA3-384 hash: 678479768b7553d1d040a25c34f67caf053e6b944bc3066e75d15e88564af5d3374a4f5b1dd46adbadeb1beaa51112b4
SHA1 hash: a36e59d5ca968a46ff51f2fb975f50fce2155d3d
MD5 hash: 9fff92c7f7822f32b3efbad9b4799793
humanhash: two-table-massachusetts-berlin
File name:sombr.hta
Download: download sample
Signature EternalRocks
Create hunting rule
File size:59'297 bytes
First seen:2026-03-01 11:57:45 UTC
Last seen:2026-03-02 07:32:36 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 1536:+++Uv++jxyncGg856bVA7Z+JYVB5Q4YeCT+VLifnl+RO5w/ww15Y1+Wxf:n
TLSH T1F0433CB171B499F11152EB7AC0B24F48DF25314A5D767CE2B6E802064CF9E233DDA9B2
TrID 66.6% (.HTML) HyperText Markup Language (UTF-8) (6000/1/1)
33.3% (.TXT) Text - UTF-8 encoded (3000/1)
Magika html
Reporter aachum
Tags:77-238-228-60 ACRStealer ClickFix FakeCaptcha hta


Avatar
iamaachum
https://refviewpage.t3.storage.dev/index.html => http://185.193.89.158/sombr.aif

ACRStealer C2: 77.238.228.60

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a426848fffa866e3b3b414
Tags:
infosteal rapid
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69a429d8cd25bfe1dfdd38aa/reports/970bdb6b-664b-495c-be95-193012de24c9/overview
Verdict:
Malicious
Labled as:
GT:VB.Corona.4
Link:
https://www.hybrid-analysis.com/sample/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee
Result
Gathering data
Verdict:
Malicious
File Type:
hta
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic Trojan-Downloader.Win32.PsDownload.sb Trojan.Win32.PowerShell.d PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan-Downloader.JS.SLoad.sb
Link:
https://opentip.kaspersky.com/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876465
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Encrypted powershell cmdline option found
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876465 Sample: sombr.hta Startdate: 01/03/2026 Architecture: WINDOWS Score: 100 36 flowerz.my 2->36 48 Suricata IDS alerts for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 2 other signatures 2->54 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 62 Suspicious powershell command line found 9->62 64 Encrypted powershell cmdline option found 9->64 15 powershell.exe 15 577 9->15         started        40 127.0.0.1 unknown unknown 12->40 signatures6 process7 dnsIp8 42 flowerz.my 104.21.94.92, 443, 49681 CLOUDFLARENETUS United States 15->42 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->28 dropped 30 C:\Users\user\AppData\...\libstdc++-6.dll, PE32+ 15->30 dropped 32 C:\Users\user\AppData\...\libsqlite3-0.dll, PE32+ 15->32 dropped 34 6 other malicious files 15->34 dropped 44 Loading BitLocker PowerShell Module 15->44 46 Powershell drops PE file 15->46 20 Setup.exe 15->20         started        24 conhost.exe 15->24         started        file9 signatures10 process11 dnsIp12 38 77.238.228.60, 443, 49692, 49693 TELERU-ASRU Russian Federation 20->38 56 Hides threads from debuggers 20->56 58 Unusual module load detection (module proxying) 20->58 60 Contains functionality to hide a thread from the debugger 20->60 26 WerFault.exe 21 16 20->26         started        signatures13 process14
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee/
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.PowerShell
Link:
https://tip.neiki.dev/file/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee
Threat name:
Win32.Trojan.Corona
Create hunting rule
Status:
Malicious
First seen:
2026-03-01 11:44:11 UTC
File Type:
Text (HTML)
Extracted files:
2
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzo345j3dmwwdsbr4n5gqbpjhs2wqes72cduea7j2qsmlmvegdxa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260301-n49twsfw3f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternalRocks

HTML Application (hta) hta 1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee

(this sample)

Amadey

zip a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f

AmateraStealer

PowerShell (PS) ps1 9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd

  
Link
https://tria.ge/260301-nrrsjsez8g/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd
  
Dropping
MD5 caa3ff32ed8fecd3b15efc1fbb54040d

Comments