MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8
SHA3-384 hash: 9b400eb98175eb3b299caad2737ed35770c804e13f331fff0d9ab8cc9893867a6b70e54d10258d6d5e79e9b4dd264899
SHA1 hash: 5545322f658c9cd1884b799244aef8eeac3c00c4
MD5 hash: 8f5f07bdb2e91ee9c9bb9614592cf7fc
humanhash: jersey-uniform-papa-cold
File name:GO.png
Download: download sample
File size:449 bytes
First seen:2024-12-18 12:12:08 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:sQkuZM/GfMLsVjhRaEfZyjSHrZF81NFmMrE:JkuO/GkoV1VBy2HrZC74
TLSH T1ADF0A376C94842B7D9B37581D2555917F4A9401A10764C01557CC9216B1AA07E6FE1CF
Magika powershell
Reporter abus3reports
Tags:bulletproof ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11566.7484.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6762c4638fb73f13afd1685b
Tags:
cobalt virus shell miner
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper masquerade packed powershell
Link:
https://www.filescan.io/uploads/6762c3ee7b5c5232624fcddf/reports/919aab24-1d5c-432c-9697-718957190fc8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1577476
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Downloads files with wrong headers with respect to MIME Content-Type
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1577476 Sample: GO.png.ps1 Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 63 Antivirus detection for URL or domain 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Powershell download and execute 2->67 69 11 other signatures 2->69 10 powershell.exe 14 21 2->10         started        15 Mig.exe 2->15         started        process3 dnsIp4 61 176.113.115.178, 49707, 80 SELECTELRU Russian Federation 10->61 59 C:\Users\user\AppData\Roaming\LB311.exe, PE32+ 10->59 dropped 93 Adds a directory exclusion to Windows Defender 10->93 95 Powershell drops PE file 10->95 17 LB311.exe 1 2 10->17         started        21 powershell.exe 23 10->21         started        23 conhost.exe 10->23         started        97 Multi AV Scanner detection for dropped file 15->97 99 Detected unpacking (changes PE section rights) 15->99 101 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->101 103 4 other signatures 15->103 file5 signatures6 process7 file8 57 C:\ProgramData\Mig\Mig.exe, PE32+ 17->57 dropped 71 Multi AV Scanner detection for dropped file 17->71 73 Detected unpacking (changes PE section rights) 17->73 75 Machine Learning detection for dropped file 17->75 79 7 other signatures 17->79 25 dialer.exe 17->25         started        28 powershell.exe 23 17->28         started        30 cmd.exe 1 17->30         started        32 13 other processes 17->32 77 Loading BitLocker PowerShell Module 21->77 signatures9 process10 signatures11 83 Injects code into the Windows Explorer (explorer.exe) 25->83 85 Contains functionality to inject code into remote processes 25->85 87 Writes to foreign memory regions 25->87 91 4 other signatures 25->91 34 lsass.exe 25->34 injected 49 18 other processes 25->49 89 Loading BitLocker PowerShell Module 28->89 37 conhost.exe 28->37         started        39 conhost.exe 30->39         started        41 wusa.exe 30->41         started        43 conhost.exe 32->43         started        45 conhost.exe 32->45         started        47 conhost.exe 32->47         started        51 10 other processes 32->51 process12 signatures13 81 Writes to foreign memory regions 34->81 53 MpCmdRun.exe 34->53         started        process14 process15 55 conhost.exe 53->55         started       
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8/
Threat name:
Script-BAT.Exploit.Minerva
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 23:21:27 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsay3enpdll2vihfthlw744v4w3jjpjm6bowlufvhuqdn7vhe3ea._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution persistence trojan
Link:
https://tria.ge/reports/241218-p3pb8s1laj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Power Settings
Checks BIOS information in registry
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Modifies security service
UAC bypass
Malware Config
Dropper Extraction:
http://176.113.115.178/M.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/3351847/

Comments