MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NodeLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8
SHA3-384 hash: 2b7c4d73493c3dcf8bc2294e2a052a5e4ee4cd7da97a04acfcc2fd40b92107f3be8b01c19f689238b9b42ea3f47d4ae4
SHA1 hash: 57c6f4215fbc3a3cec84bee2934439e89e363256
MD5 hash: fafe253468f29709ca344f829a7d2be8
humanhash: twenty-pasta-cold-don
File name:sdcdfgg.ps1
Download: download sample
Signature NodeLoader
Create hunting rule
File size:20'038 bytes
First seen:2025-07-18 20:44:52 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:BrEPE3bTzgvtb5Q8FWQs7MKcTqyhA4V0LhSJG8kxJXa23cce1nno1fnFyI:R33XWbu8FLs7MKcnhA4ElsnoOI
TLSH T187929EB4D1DFC6654F234899FCEC73AAB1729B3594BF5C27C9A498C04F8D0DA386064A
Magika txt
Reporter aachum
Tags:ClickFix FakeCaptcha NodeLoader ps1


Avatar
iamaachum
https://pub-4beb5a1a75d54237a0600bda1ad3149f.r2.dev/sdcdfgg.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687ab27b84b37dd61eef6d4e
Tags:
autoit emotet
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/687ab2788a7d628a81b6ffd8/reports/2c00bf1f-9e8b-4214-b126-7943de3d8742/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1739833
Signature
AI detected malicious Powershell script
Binary is likely a compiled AutoIt script file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739833 Sample: sdcdfgg.ps1 Startdate: 18/07/2025 Architecture: WINDOWS Score: 76 44 artemusnetworks.com 2->44 48 Multi AV Scanner detection for dropped file 2->48 50 Binary is likely a compiled AutoIt script file 2->50 52 AI detected malicious Powershell script 2->52 54 2 other signatures 2->54 8 powershell.exe 15 30 2->8         started        signatures3 process4 dnsIp5 46 artemusnetworks.com 104.21.16.1, 443, 49690 CLOUDFLARENETUS United States 8->46 40 C:\Users\user\AppData\...\master-file.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\r.bat, ASCII 8->42 dropped 56 Loading BitLocker PowerShell Module 8->56 58 Powershell drops PE file 8->58 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 8->18         started        20 4 other processes 8->20 file6 signatures7 process8 signatures9 60 Uses cmd line tools excessively to alter registry or file data 13->60 22 reg.exe 1 1 13->22         started        24 reg.exe 1 1 13->24         started        26 reg.exe 1 16->26         started        28 reg.exe 1 16->28         started        30 reg.exe 1 1 18->30         started        32 reg.exe 1 1 18->32         started        34 reg.exe 1 20->34         started        36 reg.exe 1 20->36         started        38 4 other processes 20->38 process10
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8/
Verdict:
Malicious
Threat:
Win32.Trojan.Generic
Link:
https://tip.neiki.dev/file/3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-18 20:45:41 UTC
File Type:
Text
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=her3zklzk2ivehi5j4r2g7kflkfcqxkkx6gz4mhudocubkjqj7ea._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250718-zj17ssfl4t/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NodeLoader

HTML Application (hta) hta cf5b791e0e0b07b36e81aa65270c06ec2a7b1f9d9b19e5b6ce1341a1750254da

NodeLoader

PowerShell (PS) ps1 3923bca9795691521d1d4f23a37d455a8a285d4abf8d9e30f41b8540a9304fc8

(this sample)

NodeLoader

Executable exe 6a64ae64e3061a5b47e565cfffcccc3ce6291df02ca12da669a1358b526ffd24

  
Link
https://tria.ge/250718-ze1epsvlv8/behavioral2
  
Dropped by
SHA256 cf5b791e0e0b07b36e81aa65270c06ec2a7b1f9d9b19e5b6ce1341a1750254da
  
Delivery method
Distributed via web download
  
Dropped by
MD5 3b9e3302c972395c1ed67b1b04eba833
  
Dropping
SHA256 6a64ae64e3061a5b47e565cfffcccc3ce6291df02ca12da669a1358b526ffd24
  
Dropping
MD5 96cf28a8808a020558f50bfd8eb99d01

Comments