MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KongTuke


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275
SHA3-384 hash: ecb502a1016aa52619b0f147c12550b43922f5d88dd94db5266c65503222852da63c9ada5a49d7ddaeb42fee886f8b4d
SHA1 hash: 0fd63b4dbab755da4efcee6400d3079df95b9eb5
MD5 hash: 5900a0aa9ed9443fbc73ebfba5de0ab3
humanhash: comet-rugby-bravo-chicken
File name:captcha@144.31.169.1
Download: download sample
Signature KongTuke
Create hunting rule
File size:4'881 bytes
First seen:2026-02-03 13:05:58 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:CzwM8GS0KOqpe4x4GSawYmGSaaZKtmGSanl4GSaaq5KkCR5GSapz5ZGSaai:CN1Bt0zWooW1l35PC2feT
TLSH T1A1A1620763E72FFB9A4A4DE95398620724F6C0BB38117A7DF7E515937426A41BC31234
Magika powershell
Reporter monitorsg
Tags:Kongtuke ps1


Avatar
monitorsg
hXXps://monseftq[.]com/5f7b.js --> hXXps://monseftq[.]com/js.php (ClickFix) --> (finger)://144[.]31.169.1:79/captcha

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6982fa726b1af47db72ca93d
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated powershell powershell soft-404
Link:
https://www.filescan.io/uploads/6981f2d8930564ff3c86c632/reports/35fe7bfb-2e05-4a26-ab47-85d630463f50/overview
Verdict:
Malicious
Labled as:
PowerShell/Runner.X suspicious application
Link:
https://www.hybrid-analysis.com/sample/478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275
Verdict:
Malicious
File Type:
ps1
First seen:
2026-02-03T13:59:00Z UTC
Last seen:
2026-02-03T14:14:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275/results?tab=lookup
Score:
67%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
PowerShell
Link:
https://app.malva.re/file/5900a0aa9ed9443fbc73ebfba5de0ab3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 19:18:32 UTC
File Type:
Text (Batch)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6fo2sispg6jkpwo5dgh5xcwtus4npjymbl7bo7xqsdov2ohmj2q._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

KongTuke

PowerShell (PS) ps1 478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275

(this sample)

  
Link
https://infosec.exchange/@monitorsg/116006843576756227
  
Delivery method
Distributed via web download

Comments