MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8
SHA3-384 hash: 9b62ed5fb263f22d9d93a7c36ee66cc12dade717a9c2609506e43f145d0c09f977e2922fc5a5e4adbf4466f15abd1a0f
SHA1 hash: 9a58eebc6201050082b6ca754dfd8920baad7753
MD5 hash: 8e9146d64e3c38457d6916be7e14139b
humanhash: timing-oxygen-july-skylark
File name:gB3_LoeN.ps1
Download: download sample
File size:13'874 bytes
First seen:2026-05-01 16:24:02 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:teaZUMkKuLF5dzi9ye297UfhqoYkEr2Sz4fcJfHBWjKGb+Tqim5:+KMe0N97MES/ivBWj2Tqi8
TLSH T16252E890BC52D8D481F353BECE9FB558FB2B586B12651004B2ACC1E07FB4DA4C268E68
Magika powershell
Reporter BastianHein
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
CL CL
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Pantera.316.7CE175DE.11012.6158.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 encrypted evasive fingerprint lolbin obfuscated persistence powershell powershell powershell schtasks vbc
Link:
https://www.filescan.io/uploads/69f4d3bc86e92bda701ac410/reports/39de0eaa-f9b6-40c3-b460-1cd94b1e8a07/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Pantera.316
Link:
https://www.hybrid-analysis.com/sample/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-01T12:20:00Z UTC
Last seen:
2026-05-02T01:48:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.Persik.sbr Trojan.PowerShell.Agent.sb PDM:Trojan.Win32.Generic Trojan.Script.vjWorm.a Trojan.MSIL.Dnoper.sb
Link:
https://opentip.kaspersky.com/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Persik
Link:
https://tip.neiki.dev/file/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8
Threat name:
Script-PowerShell.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2026-05-01 16:24:39 UTC
File Type:
Text (PowerShell)
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdg77ysmryi4xilka6nzd4xtnx3w2szeve2eiqp3p65kzejbgdma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260501-twl1radv2m/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Hide Artifacts: Hidden Window
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vjw0rm

Batch (bat) bat 47158b3f83846c028e0f1da35af21ee064417037e9b48d4ebf1070f44f3716d1

PowerShell (PS) ps1 28cdffe24c8e11cba16a079b91f2f36df76d4b24a9344441fb7fbaac912130d8

(this sample)

  
Dropped by
SHA256 47158b3f83846c028e0f1da35af21ee064417037e9b48d4ebf1070f44f3716d1
  
Dropped by
MD5 3d97e6d90507cd5a9d0a3264f1814a2c

Comments