MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
SHA3-384 hash: 2f095cdded03c96e9ba28b6e51d50ff998d106fa33ebfe9dda094d4f793b62c6093e9510db2967f859f405fb17adc440
SHA1 hash: d4ece3957927d4440a43a00a7c0d30ea21238809
MD5 hash: 6522aad0b04cb58ab8cf30b3a8578fb1
humanhash: fillet-four-bulldog-uncle
File name:ram.ps1
Download: download sample
File size:151 bytes
First seen:2025-02-14 06:50:22 UTC
Last seen:2025-03-27 05:36:22 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:qGQTH3x8JCRVDRNMLGURNJEnEILQqXJAFHBuxHvE2eAdb2iKMFH2fxHvE2eAd/yL:q3Lh8JS9wyU2nKyldvHZ2iKMFsdvHpcR
Threatray 34 similar samples on MalwareBazaar
TLSH T1F0C02BE2C4180037CB07B082ECF0E013EA47F80D700F3DEE7244400E700502D03C4421
Magika powershell
Reporter JAMESWT_WT
Tags:45-131-215-16 encrypthub-us ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.22512.24928.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aee7e4a0fd713c335aca90
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto dropper expand fingerprint lolbin obfuscated runonce
Link:
https://www.filescan.io/uploads/67aee7e5c24a487ec9d1d016/reports/af3ca175-2eb9-48a0-83d9-ce0e03a02583/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614872
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Powershell drops PE file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614872 Sample: ram.ps1 Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 67 encrypthub.us 2->67 77 Antivirus detection for URL or domain 2->77 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Joe Sandbox ML detected suspicious sample 2->83 12 powershell.exe 15 21 2->12         started        17 notepad.exe 5 2->17         started        signatures3 process4 dnsIp5 69 encrypthub.us 45.131.215.16, 443, 49709 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 12->69 57 C:\Users\user\AppData\Local\...\transport.exe, PE32 12->57 dropped 99 Powershell drops PE file 12->99 19 transport.exe 3 12->19         started        23 conhost.exe 12->23         started        file6 signatures7 process8 file9 45 C:\Windows\Temp\...\transport.exe, PE32 19->45 dropped 85 Multi AV Scanner detection for dropped file 19->85 25 transport.exe 13 19->25         started        signatures10 process11 file12 49 C:\Windows\Temp\...\vcruntime140.dll, PE32+ 25->49 dropped 51 C:\Windows\Temp\...\msvcp140.dll, PE32+ 25->51 dropped 53 C:\Windows\Temp\...\mfc140u.dll, PE32+ 25->53 dropped 55 2 other malicious files 25->55 dropped 97 Multi AV Scanner detection for dropped file 25->97 29 AppCheckS.exe 7 25->29         started        signatures13 process14 file15 59 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 29->59 dropped 61 C:\Users\user\AppData\...\msvcp140.dll, PE32+ 29->61 dropped 63 C:\Users\user\AppData\Roaming\...\mfc140u.dll, PE32+ 29->63 dropped 65 C:\Users\user\AppData\...\AppCheckS.exe, PE32+ 29->65 dropped 101 Contains functionality to infect the boot sector 29->101 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 33 AppCheckS.exe 1 29->33         started        signatures16 process17 signatures18 71 Contains functionality to infect the boot sector 33->71 73 Maps a DLL or memory area into another process 33->73 75 Found direct / indirect Syscall (likely to bypass EDR) 33->75 36 cmd.exe 2 33->36         started        process19 file20 47 C:\Users\user\AppData\Local\Temp\ndcicuwbk, PE32 36->47 dropped 87 Injects code into the Windows Explorer (explorer.exe) 36->87 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->89 91 Writes to foreign memory regions 36->91 93 3 other signatures 36->93 40 explorer.exe 36->40         started        43 conhost.exe 36->43         started        signatures21 process22 signatures23 95 Switches to a custom stack to bypass stack traces 40->95
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iepgie5pyxnnyy7wtxjx2jpshx7od66v57y2len2gpp4hdffut6q._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
0d6049a23bc24a385997c0514ffc22a9c0c9ba681d1cac2f6cb5013bafeefe4f
3bf4932e6121846f3303818932219f7984ac60196b65e4f62a796156923d556a
baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6
d07ba59dd5e978fbc0f6ff6006484512c422fdf584b678d839da8838f7a1ecf3
ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a
error
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250214-hmnx7swldk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments