MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3194b61d652d50f11bca2edf4708a5ba322a190b6bd3d447b516507add5adbec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ZigClipper


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash: 3194b61d652d50f11bca2edf4708a5ba322a190b6bd3d447b516507add5adbec
SHA3-384 hash: e3f936931f9b82d14c48c9e6e970cebed4f02e765f031298744d6edb8508a2f312c3236cadcb3a2e48a6ad1755334f85
SHA1 hash: fc654f053ebdd25fec4ec4797402e212117b94f5
MD5 hash: 5e44a806263ee15f7a0cdd5a3cacbacf
humanhash: uniform-kentucky-carolina-echo
File name:cl-ncl-following.ps1
Download: download sample
Signature ZigClipper
File size:2'277'201 bytes
First seen:2026-04-24 23:47:37 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:QNjc2PE0l0ldubktCZUsNQMcjb9Z7+pDc437W+30O0IoKhnbhFUjrQlNU7R440sx:QNqkkBvN
TLSH T1DFB57CD357DC08AD7B8448E942593A1354FBC36B2C9E528CF5E25A07B63F4217A3AB70
Magika powershell
Reporter aachum
Tags:dropped-by-ACRStealer mpla-clo-cc ps1 ZigClipper


Avatar
iamaachum
http://79.124.59.142/cl-ncl-following

ZigClipper C2: https://mpla-clo.cc/

Intelligence


File Origin
# of uploads :
1
# of downloads :
101
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
91.7%
Tags:
ransomware shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 encrypted fingerprint powershell
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
84 / 100
Signature
Early bird code injection technique detected
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1904538 Sample: cl-ncl-following.ps1 Startdate: 25/04/2026 Architecture: WINDOWS Score: 84 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Joe Sandbox ML detected suspicious sample 2->31 33 Sigma detected: Dot net compiler compiles file from suspicious location 2->33 7 powershell.exe 45 2->7         started        process3 signatures4 35 Early bird code injection technique detected 7->35 37 Found suspicious powershell code related to unpacking or dynamic code loading 7->37 39 Queues an APC in another process (thread injection) 7->39 41 Loading BitLocker PowerShell Module 7->41 10 csc.exe 4 7->10         started        13 powershell.exe 15 7->13         started        15 CheckNetIsolation.exe 1 7->15         started        17 conhost.exe 7->17         started        process5 file6 25 Temp_ace1fc80bd7a4...7b48e7f7d875d05.dll, PE32 10->25 dropped 19 cvtres.exe 1 10->19         started        21 conhost.exe 13->21         started        23 WerFault.exe 20 16 15->23         started        process7
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-04-24 23:48:37 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZigClipper

PowerShell (PS) ps1 3194b61d652d50f11bca2edf4708a5ba322a190b6bd3d447b516507add5adbec

(this sample)

  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download

Comments