MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93
SHA3-384 hash: 3708618f1992a8327c5f5a8aaee886b00f29f03686737daf74652c0ca2e79390eb315b1f56b88cd861f00add80dfd31e
SHA1 hash: 42f5131542b19ae6c5b3dea10bba74f902518d7f
MD5 hash: fd0e1bf22deae02f582a9935644728c7
humanhash: texas-purple-pennsylvania-butter
File name:froelichia.ps1
Download: download sample
File size:2'035'681 bytes
First seen:2026-02-03 15:15:39 UTC
Last seen:2026-02-03 16:22:48 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:WjpFfuizU6hSbanCG0JBab4Lle2/UZ2UGTzo3ff2lQ5FdZ7e2sxP+Mp6n9PQ/mj9:2kiIR5kPEUAKffZRIPrpk
TLSH T1AD954B3AAD53ADA736DCA3D38F939424ECF4817A5A1311F872E841CE3058D469F9891F
Magika powershell
Reporter aachum
Tags:carlessclapped-com dropped-by-ACRStealer ps1


Avatar
iamaachum
http://194.150.220.218/4SLEYpfAk57hGubo/froelichia

C2: carlessclapped.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698210e387f81e55ffeefef5
Tags:
malware
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-02-01T18:30:00Z UTC
Last seen:
2026-02-05T05:08:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.Obfus.gen
Link:
https://opentip.kaspersky.com/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1862522
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862522 Sample: froelichia.ps1 Startdate: 03/02/2026 Architecture: WINDOWS Score: 80 25 shed.dual-low.part-0012.t-0009.t-msedge.net 2->25 27 registry.npmjs.org 2->27 29 17 other IPs or domains 2->29 49 Malicious sample detected (through community Yara rule) 2->49 51 Joe Sandbox ML detected suspicious sample 2->51 7 powershell.exe 15 84 2->7         started        11 agent_ovpnconnect.exe 2->11         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 31 part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49687, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->31 33 140.82.113.6, 443, 49691, 49693 GITHUBUS United States 7->33 37 10 other IPs or domains 7->37 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->53 55 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 7->55 57 Found suspicious powershell code related to unpacking or dynamic code loading 7->57 59 Loading BitLocker PowerShell Module 7->59 15 agent_ovpnconnect.exe 12 7->15         started        19 conhost.exe 7->19         started        21 WerFault.exe 21 11->21         started        23 WerFault.exe 1 21 11->23         started        35 127.0.0.1 unknown unknown 13->35 signatures6 process7 dnsIp8 39 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49742, 8545 TANDEMUS United States 15->39 41 carlessclapped.com 45.155.69.48, 443, 49743, 49760 LEASEWEB-NL-AMS-01NetherlandsNL Serbia 15->41 43 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->43 45 Unusual module load detection (module proxying) 15->45 47 Found direct / indirect Syscall (likely to bypass EDR) 15->47 signatures9
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Obfus
Link:
https://tip.neiki.dev/file/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-03 15:14:39 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g25kw7gmzskrgnqdrxzo625b3pub4xe2keyyo6krir3pfxz57wjq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260203-snfy4af14a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 36baab7ccccc951336038df2ef6ba1dbe81e5c9a51318779514476f2df3dfd93

(this sample)

  
Link
https://tria.ge/260203-sh1fjsfy5h/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3772028/

Comments