MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f56dc2cefce8586690102c3b6a071dc47238d36c1664c5f78a8a51e5369aa48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f56dc2cefce8586690102c3b6a071dc47238d36c1664c5f78a8a51e5369aa48
SHA3-384 hash: 7d95db661f466d18242eca369606e0881f3c1344c9f2f83ccca41cf0ac67d0f38941a9d70eead72adfd9caf2acbc0839
SHA1 hash: 061c7c5929239695dd53448b32fa3d34b73b696d
MD5 hash: 1c1cf0c54518cf92e9ac026511781687
humanhash: robin-batman-johnny-princess
File name:8X5T.ps1
Download: download sample
File size:5'987 bytes
First seen:2025-01-30 08:06:31 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:CZj1d9BoV0XUO4DjGV9OerT0wFyjRzHAIxw2kZ+vQ8jNVYsO7yJGj3pxUJ5Wnyzk:Cl1XO9fIOekwFyjRzHAIxyZ+v9NVbCyk
TLSH T113C150142B1A625340B13A60A9C98637E77B7227216747A1F8FCA64F9F3065CD2F4FC9
Magika powershell
Reporter JAMESWT_WT
Tags:0x0-st ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.INF.Cmst.A.A8D31253.12485.30361.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b351929ae628cf42b7167
Tags:
shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint
Link:
https://www.filescan.io/uploads/679b33284587880099ba0016/reports/792476ca-f8d1-443d-8a02-2055ed0f23b2/overview
Verdict:
Malicious
Labled as:
INF.Cmst.A.Generic
Link:
https://www.hybrid-analysis.com/sample/3f56dc2cefce8586690102c3b6a071dc47238d36c1664c5f78a8a51e5369aa48
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1602810
Signature
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1602810 Sample: 8X5T.ps1 Startdate: 30/01/2025 Architecture: WINDOWS Score: 72 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected AntiVM3 2->36 38 Suspicious powershell command line found 2->38 40 2 other signatures 2->40 7 powershell.exe 39 2->7         started        11 powershell.exe 28 2->11         started        13 taskkill.exe 1 2->13         started        process3 file4 30 C:\Users\user\AppData\...\wxran4o5.cmdline, Unicode 7->30 dropped 42 Loading BitLocker PowerShell Module 7->42 15 csc.exe 3 7->15         started        18 cmstp.exe 8 7 7->18         started        20 conhost.exe 7->20         started        22 conhost.exe 11->22         started        24 WmiPrvSE.exe 11->24         started        26 conhost.exe 13->26         started        signatures5 process6 file7 32 C:\Users\user\AppData\Local\...\wxran4o5.dll, PE32 15->32 dropped 28 cvtres.exe 1 15->28         started        process8
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/3f56dc2cefce8586690102c3b6a071dc47238d36c1664c5f78a8a51e5369aa48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f56dc2cefce8586690102c3b6a071dc47238d36c1664c5f78a8a51e5369aa48/
Threat name:
Script-INF.Trojan.Cmst
Create hunting rule
Status:
Malicious
First seen:
2025-01-29 09:28:32 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5lnylhpz2cym2ibalb3nidr3rdshdjwyfteyx3yvcsr4u3jvjea._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250130-jzze5sxmcn/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Drops file in System32 directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments