MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455
SHA3-384 hash: 32572ac0c0009fe7463867eef90fc8f56a483684faf3c15dfb1f071dadfe6f3fb3006b617f742c9fb7af844eea93c666
SHA1 hash: e5171b851e8b8e33b8e7665aaa6fe8b66859c35d
MD5 hash: d7287d3f86c270b69d1dcc492d54775f
humanhash: charlie-mirror-diet-carpet
File name:2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455.ps1
Download: download sample
File size:2'232 bytes
First seen:2025-04-12 07:44:27 UTC
Last seen:2025-04-12 07:44:45 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:/I6Ul480Hqh3NPY9chOlPY3CFkc9YPyRkp0tHa1E4I6cpqhIhFVmVqhf0dbFVn:3U+oZa+hOqCcyRk6rCcceHNV2bf
TLSH T1874193127E844FCB201364CAD2FA109CC6FD5AD8867E5BC63DC81211983EA8DE9BDD16
Magika powershell
Reporter JAMESWT_WT
Tags:77-223-119-85 booking ClickFix FakeCaptcha ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.26731.9572.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fa2517d6e7c3effad0b5c7
Tags:
autorun virus agent shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
persistence
Link:
https://www.filescan.io/uploads/67fa1a0e40adfb5162c09758/reports/ccb49e04-5ef7-40cf-90f0-f3f284f6f129/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1663725
Signature
Joe Sandbox ML detected suspicious sample
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
Score:
58%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455/
Threat name:
Script-PowerShell.Downloader.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 23:39:23 UTC
File Type:
Text
AV detection:
10 of 38 (26.32%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f44ielrk2q7v777vqnwljslsmylhovux6lrexsd3csrkj5yn4rkq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250412-jlh61azpy2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Methodology_Suspicious_Shortcut_Local_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects local script usage for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 2f38822e2ad43f5ffff5836cb4c9726616775697f2e24bc87b14a2a4f70de455

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3508757/
  
Delivery method
Distributed via web download

Comments