MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e
SHA3-384 hash: 20f15689a4b504ede28fb6329a262104695d5dc561e951021c649f0315d133f8b386b525eea98b642e24e2123f2b7bc5
SHA1 hash: 6e8ac800894b6758b731c7233ec420b388bff886
MD5 hash: 9e7cf13449ffeceb3d0b2adf3786d687
humanhash: mike-cat-purple-mars
File name:small.cmd
Download: download sample
File size:5'861'384 bytes
First seen:2026-05-14 23:48:08 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/plain
ssdeep 49152:Q2rnCdh/aJW966Li9uWrg0nHkMLzom8mHwwuUk7GjHwtfWJGd2usq+jIvY1+t/pu:BcMLzom8mHwwuUkuwtfWJGI+t/porrrz
Threatray 35 similar samples on MalwareBazaar
TLSH T18D46E796140D40E308F9DBB2F825AD8A7B9E02FF5012959C35D0DCA85B6E18B46FF1DE
Magika batch
Reporter aachum
Tags:cmd dropped-by-LummaStealer


Avatar
iamaachum
https://banknotenot.pw/small.cmd

Requests URL retrieved through EtherHiding: https://kelemet.shop/assets/IncleHatte.json

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a065f7f46d6967b3d9062f1
Tags:
vmdetect dropper virus shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd conhost findstr fingerprint lolbin obfuscated ping powershell
Link:
https://www.filescan.io/uploads/6a065f4411d01437268a94ae/reports/c4a9feee-8b5f-47f3-b451-0703820caee2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e
Verdict:
Clean
File Type:
unix shell
First seen:
2026-05-15T11:35:00Z UTC
Last seen:
2026-05-15T11:46:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1913806
Signature
.NET source code contains potential unpacker
Deletes itself after installation
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913806 Sample: small.cmd Startdate: 15/05/2026 Architecture: WINDOWS Score: 92 34 k8s-ingressn-bscmainn-92244380d0-811109128.us-east-1.elb.amazonaws.com 2->34 36 nugetapiprod.trafficmanager.net 2->36 38 8 other IPs or domains 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected AntiVM3 2->52 54 2 other signatures 2->54 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 signatures5 58 Uses ping.exe to sleep 10->58 60 Uses ping.exe to check the status of other devices and networks 10->60 15 cmd.exe 1 10->15         started        17 conhost.exe 10->17         started        process6 process7 19 conhost.exe 15->19         started        21 chcp.com 1 15->21         started        process8 23 cmd.exe 1 19->23         started        signatures9 56 Uses ping.exe to sleep 23->56 26 powershell.exe 15 34 23->26         started        30 PING.EXE 1 23->30         started        32 chcp.com 1 23->32         started        process10 dnsIp11 40 k8s-ingressn-bscmainn-92244380d0-811109128.us-east-1.elb.amazonaws.com 107.21.60.202, 443, 49700 AMAZON-AESUS United States 26->40 42 api.ipapi.is 178.156.177.192, 443, 49708 SERVIHOSTING-ASAireNetworksES Romania 26->42 46 3 other IPs or domains 26->46 62 Query firmware table information (likely to detect VMs) 26->62 64 Deletes itself after installation 26->64 66 Hides threads from debuggers 26->66 44 127.0.0.1 unknown unknown 30->44 signatures12
Score:
18%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-14 11:41:49 UTC
File Type:
Text
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h57ptovufu2sj6sxjc2arwjnr2daaznueyxx7fl3tjvuidekikha._file
Verdict:
malicious
Label(s):
covenantc2
Create hunting rule
Similar samples:
35b69e08b49d193026c6de3e823ae87dfe3e28513985e7b3848912ec259491e8
4ef4742c1a71cca9a3bfc4fe312e9ca6df120fec15f4f8dea4266f17340837b0
64038aa9e013fd24b44730e22297fdbf2a5723ffaeda892a247e74cb64ba3bd9
84b6ce21535041f998e7c21a0d426e8ffab18b7575313cc1b070b3f44db1225f
a4c271f06767e1497260cfb7bac4abeac8764bbbd9408c8dd9e2c1ae164903ef
b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
e4dc0ccbc6bc6e2cf2a4ad0d6b949c121c8fcb4ba6e939909d11ba1b6b294cf5
error
+ 25 additional samples on MalwareBazaar
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

cmd cmd 3f7ef9bab42d3524fa5748b408d92d8e860065b4262f7f957b9a6b440c8a428e

(this sample)

  
Link
https://tria.ge/260514-3khnmaby51/behavioral2
  
Dropped by
LummaStealer
  
Delivery method
Distributed via web download

Comments