MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
SHA3-384 hash: 4a6f07bb97900c992a552ba734cca843d4ec6667e4ac6507e588bed860d3c2d250519df8e29f705cfbd24295b942003f
SHA1 hash: 8ffb47c2eb9f76ed7a0f8a68d2019c11a4bba291
MD5 hash: d7390ef13c119daedf2350978786696f
humanhash: cold-london-sink-summer
File name:ru1.hta
Download: download sample
File size:1'710 bytes
First seen:2026-03-19 13:27:31 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:5vZmEuZ0mC2lBOtuSiclOix7lLw1N6UMT:5haZ7l7K5wTK
TLSH T1B131834338216F9C43371175A65DA884443315BF4C448A723CEC88B96F2577E51FE3AD
Magika vba
Reporter smica83
Tags:hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection(s):
PUA.Win.Trojan.Script-44
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bbf9f193b644ca466baac7
Tags:
dropper shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3/results/dashboard
Payload URLs
URL
File name
https://zynaris.io/InstallMullvadVPN.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin mshta powershell
Link:
https://www.filescan.io/uploads/69bbf9ef4ec2f522cc4f4672/reports/6563751a-7f86-4d69-b89a-48369c94b2bd/overview
Verdict:
Malicious
Labled as:
PowerShell_Agent_AOR_trojan
Link:
https://www.hybrid-analysis.com/sample/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
Verdict:
Malicious
File Type:
ps1
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1886335
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886335 Sample: ru1.hta Startdate: 19/03/2026 Architecture: WINDOWS Score: 88 31 api.telegram.org 2->31 33 zynaris.io 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Sigma detected: Suspicious MSHTA Child Process 2->45 49 3 other signatures 2->49 8 mshta.exe 1 2 2->8         started        12 svchost.exe 1 1 2->12         started        15 mshta.exe 14 2->15         started        17 mshta.exe 14 2->17         started        signatures3 47 Uses the Telegram API (likely for C&C communication) 31->47 process4 dnsIp5 29 C:\Users\user\AppData\Local\Temp\runexe.bat, DOS 8->29 dropped 55 Creates an autostart registry key pointing to binary in C:\Windows 8->55 19 cmd.exe 1 8->19         started        39 127.0.0.1 unknown unknown 12->39 file6 signatures7 process8 signatures9 51 Suspicious powershell command line found 19->51 53 Tries to download and execute files (via powershell) 19->53 22 powershell.exe 15 16 19->22         started        25 powershell.exe 15 19->25         started        27 conhost.exe 19->27         started        process10 dnsIp11 35 zynaris.io 195.160.223.213, 443, 49692, 49694 FREENET_LLCUA Ukraine 22->35 37 api.telegram.org 149.154.166.110, 443, 49693 TELEGRAMRU United Kingdom 25->37
Score:
74%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-18 20:47:29 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fr5jt4jx57lrr6e47czgan44tgxyt2qzhfli34etcsiy6lcztgrq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260319-qqspkahw4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://zynaris.io/InstallMullvadVPN.exe
https://zynaris.io/ru1.hta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments