MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZigClipper


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792
SHA3-384 hash: 8a145fd8431b90e87b6752486e367a485630266b076c8ad9cd14eaa52831bd8b985fc62bc541d47ef1c57f1bedd7e105
SHA1 hash: 415d46f4d0b61ab55d7146266993579e51094d31
MD5 hash: ce3efb77bb52246e20a690fa294b6afb
humanhash: kansas-michigan-shade-lamp
File name:Reader_en_install_1780328114797.ps1
Download: download sample
Signature ZigClipper
Create hunting rule
File size:18'396 bytes
First seen:2026-06-07 13:51:54 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:amx+KY0TMezUuF5uRx1XA3uluG3vvSs4eFf:Vx3Y0TMKn41Xft3XbBt
TLSH T1D182595303851BBDF6CD0EC5895A301720F2D927BD291299AFB36EEBBC3B9845434726
Magika powershell
Reporter aachum
Tags:celebration-internet-cc ps1 SunWukong ZigClipper


Avatar
iamaachum
https://radiosanducito.uy/tmp/Reader_en_install_1780328114797.ps1

ZigClipper C2: celebration-internet.cc

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a25779e63a4889c1afa57d1
Tags:
cobalt shell small sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 crypto dropper encrypted evasive installer-heuristic obfuscated packed persistence powershell
Link:
https://www.filescan.io/uploads/6a25779a46e44aecc0d3e03b/reports/3c1e68e8-e592-4614-a615-1a47024f1f98/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792
Verdict:
Malicious
File Type:
ps1
First seen:
2026-06-06T02:10:00Z UTC
Last seen:
2026-06-06T02:48:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Powershell.d Trojan-Downloader.Win32.PsDownload.sb Trojan.PowerShell.DefenderDisabler.sb PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic
Link:
https://opentip.kaspersky.com/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792/results?tab=lookup
Result
Threat name:
EtherHiding, ZigClipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1924134
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Net WebClient Casing Anomalies
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Unusual module load detection (module proxying)
Yara detected EtherHiding
Yara detected ZigClipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1924134 Sample: Reader_en_install_178032811... Startdate: 07/06/2026 Architecture: WINDOWS Score: 100 43 celebration-internet.cc 2->43 45 ae7280d68d883734b.awsglobalaccelerator.com 2->45 47 3 other IPs or domains 2->47 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 6 other signatures 2->69 8 powershell.exe 16 33 2->8         started        13 powershell.exe 9 2->13         started        15 svchost.exe 1 1 2->15         started        17 powershell.exe 2->17         started        signatures3 process4 dnsIp5 53 radiosanducito.uy 195.250.27.211, 443, 49691, 49805 WHG-MEXGB Mexico 8->53 55 iplogger.co 104.21.82.93, 443, 49683 CLOUDFLARENET-CloudflareIncUS Canada 8->55 41 C:\Users\user\AppData\...behaviorgraphdhRIfepV0wt.exe, PE32+ 8->41 dropped 79 Suspicious powershell command line found 8->79 81 Encrypted powershell cmdline option found 8->81 83 Creates autostart registry keys with suspicious values (likely registry only malware) 8->83 85 4 other signatures 8->85 19 GdhRIfepV0wt.exe 12 8->19         started        23 powershell.exe 15 8->23         started        26 conhost.exe 8->26         started        28 WmiPrvSE.exe 8->28         started        30 conhost.exe 13->30         started        57 127.0.0.1 unknown unknown 15->57 32 conhost.exe 17->32         started        file6 signatures7 process8 dnsIp9 49 celebration-internet.cc 104.21.4.73, 443, 49695, 49699 CLOUDFLARENET-CloudflareIncUS Canada 19->49 51 ae7280d68d883734b.awsglobalaccelerator.com 99.83.204.86, 443, 49693 AMAZON-02-AmazoncomIncUS United States 19->51 71 Multi AV Scanner detection for dropped file 19->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->73 75 Found stalling execution ending in API Sleep call 19->75 77 Found direct / indirect Syscall (likely to bypass EDR) 19->77 39 C:\Users\user\AppData\...\ZpVMn3U7BeIz.exe, PE32+ 23->39 dropped 34 ZpVMn3U7BeIz.exe 23->34         started        37 conhost.exe 23->37         started        file10 signatures11 process12 signatures13 59 Multi AV Scanner detection for dropped file 34->59 61 Unusual module load detection (module proxying) 34->61
Score:
91%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792/
Verdict:
Malicious
Threat:
Trojan.Win32.DefenderDisabler
Link:
https://tip.neiki.dev/file/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=euqc7zwp4q2333r356qfpkdbrv7g73qdbhiqbyckligts6f7a6ja._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260607-q6lk7afx4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZigClipper

PowerShell (PS) ps1 25202fe6cfe435bdee3befa057a8618d7e6fee0309d100e04a5a0d3978bf0792

(this sample)

ZigClipper

Executable exe cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc

  
Link
https://tria.ge/260607-qv5jxsfw4y/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 cc72b42c5ead241222e935eaf10144a2a3a56ec492bbefb46eb78ebdf04f87cc
  
Dropping
MD5 98887ebaac9fe0d1fa9433f9d8811201

Comments