MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce
SHA3-384 hash: ff9d627806d9b9ef4048d512a249e0f2f1720c2c7aa5e0782e728ed8d9380c299227374f94b7b2736ab1ae21bf1aeb3b
SHA1 hash: f657bb24ae7f8b3ae02fd99b670ade2b8a525f46
MD5 hash: a8d0e04e31ff72e7b717720d8721249f
humanhash: glucose-october-three-emma
File name:ftbB6m9N.ps1
Download: download sample
File size:485 bytes
First seen:2025-08-13 16:43:05 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6:yNsnASW5YD/H8YjPr6QrsrCBCi6tHJEOL2impJpGaAQhEwnf4UX4f4BmFJFOgGF9:2gU62Dilk2dpHzlWa4UXA4IZCF2XhK
TLSH T1C6F02EB16EC7C44744A7456EB83316DA8E199B1882853D32ECE47C6EA497500252A3A4
Magika powershell
Reporter aachum
Tags:AMSIBypass call-kakao-com ps1


Avatar
iamaachum
https://pastebin.com/raw/ftbB6m9N

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689cbb3c2018ee52f02474fa
Tags:
virus shell spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/689cc0b0397fd3ce6fa7daa6/reports/d98096ac-612c-4d0a-afca-14bbfe1e0198/overview
Verdict:
Malicious
Labled as:
PowerShell/Agent.CLS trojan
Link:
https://www.hybrid-analysis.com/sample/20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1756215
Signature
AI detected malicious Powershell script
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1756215 Sample: ftbB6m9N.ps1 Startdate: 13/08/2025 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 AI detected malicious Powershell script 2->12 6 powershell.exe 11 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce
Threat name:
Script-PowerShell.Hacktool.AMSIBypass
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 17:08:46 UTC
File Type:
Text (PowerShell)
AV detection:
10 of 38 (26.32%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edkbhgzkulwezwdgi4do2q6xe5vyg6uw7cbr7p6ce3rinkivztha._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/250813-t8dj5s1jz4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe 8a2590c9a17beff4632e5c888cee885f37901a664d21309b8b3b803462b160d7

PowerShell (PS) ps1 20d4139b2aa2ec4cd8664706ed43d7276b837a96f8831fbfc226e286a915ccce

(this sample)

  
Dropped by
SHA256 8a2590c9a17beff4632e5c888cee885f37901a664d21309b8b3b803462b160d7
  
Delivery method
Distributed via web download
  
Dropped by
MD5 ccd28fcf7cdd706253737b073858f932

Comments