MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0
SHA3-384 hash: 4da7086cada0f50ab5b244d5167c48d0a276680db1dc0686cfaa6c5cc3b5f9de230a3d11665f151938e59c0b6b831da1
SHA1 hash: f753b046602301c1b36ef1b2314bfdc07a7b275d
MD5 hash: 824bfef008c4d83f17b123ea324fb1b9
humanhash: hawaii-fanta-michigan-bulldog
File name:2y6fw1.ps1
Download: download sample
File size:1'942'255 bytes
First seen:2025-05-25 12:27:00 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:lOqrcq0UIQTvTQGjAZ3bqPTCuhgEyaByfRfffnfffffTfwfKfCff9fOQfffffffu:lHAqzlPOqP3fSH
TLSH T1C4959AB94B685D5E0A5B3B78C0874E83DB8A1764033E808AF7DB5939616BC16D07DCB3
Magika powershell
Reporter 01Xyris
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.24984.13677.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68330e3844c3881e854d2b30
Tags:
proxy spawn blic sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bladabindi dropper packed packed reconnaissance timeout
Link:
https://www.filescan.io/uploads/68330cf7fd02ed5e0586e744/reports/6f662abb-82bb-42b4-bb22-80512006ed52/overview
Verdict:
Suspicious
Labled as:
Generik.BIQPWQP trojan
Link:
https://www.hybrid-analysis.com/sample/4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698767
Signature
.NET source code contains potential unpacker
AI detected malicious Powershell script
Antivirus detection for dropped file
Drops PE files to the user root directory
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powerup Write Hijack DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698767 Sample: 2y6fw1.ps1 Startdate: 25/05/2025 Architecture: WINDOWS Score: 100 39 ftpproxy672-44246.portmap.io 2->39 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 .NET source code contains potential unpacker 2->53 55 6 other signatures 2->55 8 powershell.exe 23 2->8         started        12 OneDrive Updater.exe 3 2->12         started        14 OneDrive Updater.exe 2 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\cvsYxk.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\Temp\cvsYxk.bat, DOS 8->35 dropped 57 Found suspicious powershell code related to unpacking or dynamic code loading 8->57 59 Powershell drops PE file 8->59 16 cvsYxk.exe 1 4 8->16         started        21 cmd.exe 1 8->21         started        23 conhost.exe 8->23         started        signatures6 process7 dnsIp8 37 ftpproxy672-44246.portmap.io 193.161.193.99, 44246, 49692, 49694 BITREE-ASRU Russian Federation 16->37 31 C:\Users\Public\OneDrive Updater.exe, PE32 16->31 dropped 41 Antivirus detection for dropped file 16->41 43 Multi AV Scanner detection for dropped file 16->43 45 Protects its processes via BreakOnTermination flag 16->45 47 Drops PE files to the user root directory 16->47 25 WerFault.exe 19 16 16->25         started        27 conhost.exe 21->27         started        29 timeout.exe 1 21->29         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-25 12:28:37 UTC
File Type:
Text
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jso7evfnlrjy4use2dt77cwp3frtrzgvwolrpueksoldtxm2lkya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence upx
Link:
https://tria.ge/reports/250525-pnk19sfr2s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
UPX packed file
Adds Run key to start application
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c9df254ad5c538e5244d0e7ff8acfd96338e4d5b39717d08a939639dd9a5ab0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Xworm

Comments