MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4
SHA3-384 hash: 224485ca2e516e4bbcfafc47bab8fc1f5a9af364bb34052884bb7ef1c3df992ac4a8e2fef1cfdd1ed6856202e945f335
SHA1 hash: be4bc1a5a09eb11589c10ed9f25ea7ed8bccb011
MD5 hash: d55c7b0a3e5c4cf9d2d9e2e4e2b05337
humanhash: ink-spaghetti-uniform-orange
File name:ps812cm.tsv
Download: download sample
File size:11'451 bytes
First seen:2025-08-12 17:06:04 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:sPAOflvUuE8yiQ5ZYkMIQKXEgHfLfXLrErmAECDB/UwuADYvS2K1HDFCRdpbGBVD:0VMPMqJ/DLYrAY00Yv50HD0pbGBeS
TLSH T1D132F7D219A75A14CB5A164C4FE2196C823037B6838297579E4F38C378B779F79E603C
Magika powershell
Reporter aachum
Tags:ClickFix genspark-browser-world ps1


Avatar
iamaachum
https://genspark-browser.world/activation.html => https://raw.githubusercontent.com/malmeses4535/generated-1/refs/heads/main/ps812cm.tsv

C2:
https://steamcommunity.com/profiles/76561199878826092/
https://hkdk.events/s7je7pxglzqbew

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b9c7b9901157561b5aa55
Tags:
ransomware shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/689b9c9c9ef4d2ff7cf91766/reports/2b62ee34-ba4d-4848-be36-3b53ce62f661/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755619
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Potentially malicious time measurement code found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755619 Sample: ps812cm.tsv.ps1 Startdate: 12/08/2025 Architecture: WINDOWS Score: 100 121 pastebin.com 2->121 123 armydevice.shop 2->123 125 8 other IPs or domains 2->125 147 Malicious sample detected (through community Yara rule) 2->147 149 Yara detected Powershell download and execute 2->149 151 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->151 155 10 other signatures 2->155 12 powershell.exe 15 2->12         started        15 Tvr5JZqV15JF.exe 2->15         started        17 Tvr5JZqV15JF.exe 2->17         started        19 svchost.exe 1 1 2->19         started        signatures3 153 Connects to a pastebin service (likely for C&C) 121->153 process4 dnsIp5 191 Found many strings related to Crypto-Wallets (likely being stolen) 12->191 193 Encrypted powershell cmdline option found 12->193 195 Found suspicious powershell code related to unpacking or dynamic code loading 12->195 197 Powershell drops PE file 12->197 22 powershell.exe 15 30 12->22         started        26 conhost.exe 12->26         started        199 Hijacks the control flow in another process 15->199 201 Writes to foreign memory regions 15->201 203 Allocates memory in foreign processes 15->203 28 svchost.exe 15->28         started        205 Modifies the context of a thread in another process (thread injection) 17->205 207 Injects a PE file into a foreign processes 17->207 30 svchost.exe 17->30         started        127 127.0.0.1 unknown unknown 19->127 209 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->209 signatures6 process7 dnsIp8 129 dev.azure.com 150.171.73.16, 443, 49715, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->129 131 hkdk.events 104.18.17.219, 443, 49733 CLOUDFLARENETUS United States 22->131 133 2 other IPs or domains 22->133 101 C:\Users\Public\Music\helptempob7g.exe, PE32+ 22->101 dropped 32 powershell.exe 22->32         started        35 powershell.exe 22->35         started        37 helptempob7g.exe 2 22->37         started        40 3 other processes 22->40 file9 process10 file11 93 C:\Users\Public\Pictures\aiolX9GC.exe, PE32+ 32->93 dropped 42 aiolX9GC.exe 32->42         started        46 conhost.exe 32->46         started        95 C:\Users\Public\Documents\ccupdatemy4v.exe, PE32+ 35->95 dropped 48 ccupdatemy4v.exe 1 2 35->48         started        50 conhost.exe 35->50         started        157 Antivirus detection for dropped file 37->157 159 Suspicious powershell command line found 37->159 161 Bypasses PowerShell execution policy 37->161 163 Potentially malicious time measurement code found 37->163 52 cmd.exe 1 37->52         started        58 3 other processes 37->58 97 C:\Users\user\AppData\Local\...\tempduIf.exe, PE32 40->97 dropped 99 C:\Users\Public\Videos\zenCXan.exe, PE32+ 40->99 dropped 54 tempduIf.exe 41 40->54         started        56 zenCXan.exe 40->56         started        60 2 other processes 40->60 signatures12 process13 file14 103 C:\Users\user\AppData\...\win32event.pyd, PE32+ 42->103 dropped 105 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 42->105 dropped 107 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 42->107 dropped 111 115 other malicious files 42->111 dropped 165 Found pyInstaller with non standard icon 42->165 62 aiolX9GC.exe 42->62         started        109 C:\Users\user\AppData\...\Tvr5JZqV15JF.exe, PE32+ 48->109 dropped 167 Antivirus detection for dropped file 48->167 169 Early bird code injection technique detected 48->169 171 Contains functionality to inject code into remote processes 48->171 64 Tvr5JZqV15JF.exe 48->64         started        173 Uses ping.exe to sleep 52->173 175 Uses cmd line tools excessively to alter registry or file data 52->175 177 Uses ping.exe to check the status of other devices and networks 52->177 68 reg.exe 1 52->68         started        179 Found many strings related to Crypto-Wallets (likely being stolen) 54->179 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->181 183 Tries to harvest and steal browser information (history, passwords, etc) 54->183 187 4 other signatures 54->187 70 chrome.exe 54->70         started        185 Writes to foreign memory regions 56->185 189 2 other signatures 56->189 72 MSBuild.exe 56->72         started        74 MSBuild.exe 56->74         started        76 MSBuild.exe 56->76         started        78 WmiPrvSE.exe 58->78         started        80 reg.exe 1 58->80         started        signatures15 process16 dnsIp17 82 cmd.exe 62->82         started        113 geelt.com 87.120.126.234, 49729, 49731, 49735 UNACS-AS-BG8000BurgasBG Bulgaria 64->113 115 steamcommunity.com 23.54.187.178, 443, 49728, 49730 AKAMAI-ASUS United States 64->115 135 Antivirus detection for dropped file 64->135 137 Hijacks the control flow in another process 64->137 139 Writes to foreign memory regions 64->139 143 3 other signatures 64->143 85 svchost.exe 64->85         started        117 armydevice.shop 104.21.20.197, 443, 49745, 49748 CLOUDFLARENETUS United States 72->117 119 glossmagazine.shop 104.21.93.114, 443, 49746, 49750 CLOUDFLARENETUS United States 72->119 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 72->141 87 WerFault.exe 72->87         started        signatures18 process19 signatures20 145 Uses ping.exe to sleep 82->145 89 conhost.exe 82->89         started        91 PING.EXE 82->91         started        process21
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4
Gathering data
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4
Threat name:
Script-PowerShell.Trojan.ClickFix
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 20:02:06 UTC
File Type:
Text (Batch)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3gx7imw4pgoteaj6ehgxiptr6lbeh7jvs6tzof3tajp6tixqw2a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence pyinstaller
Link:
https://tria.ge/reports/250812-yp89xsymy5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 26cd7fa196e3cce99009f10e6ba1f38f96121fe9acbd3cb8bb9812ff4d1785b4

(this sample)

Executable exe a990edb873ca808b735bc678bdb284f7b1873ac75adee316702b554960001cc1

  
Link
https://tria.ge/250812-vh7kzafl3x/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 a990edb873ca808b735bc678bdb284f7b1873ac75adee316702b554960001cc1
  
Dropping
MD5 facd2ef44335477ab3f8f2d0d8ef0ad2
  
Dropping
SHA256 dab2a6b2393ab5d4453b49cf6f0c95e68a8a241e5cac4972aaa5632e613a8d8d
  
Dropping
MD5 6cf72db8ecfa3fe20c3681359d2532d3
  
Dropping
SHA256 c91c28fc01306307989298d44d546ac1b88469d15b30c2ba72d19b29075a968d
  
Dropping
MD5 b5b3ae355fa7f2c162e4763fe15a7606
  
Dropping
SHA256 90f2cc502ccfd71cd38808272a372b90c9db22453797867ec93e6ecd9dbbb407
  
Dropping
MD5 bc341e505f48823d2d8d5d645e558c40

Comments