MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5
SHA3-384 hash: c1bc62734b9f0e8f66a3d6b41689b4a53c5d594fd16aa77df5147b0d072ee99653cb8a8b18ac0929544c7c82f0527bb1
SHA1 hash: 6faf7e375c763f999daa53b4c3e0497649ffcfe9
MD5 hash: 6254420ebb84eb479c081db302479c9a
humanhash: hawaii-gee-california-connecticut
File name:FreeNFT.bat
Download: download sample
File size:313 bytes
First seen:2025-11-20 19:55:01 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6:s8GFPoSkaRvTihcWgG5ezTRQdWNYQUdLd8Y2F09uLgyKBM3S1R+jsbywFHhW6MFW:s8d5xA58FdLd8v0oLgyaIS1IobDFHhNX
TLSH T1C6E07D390313861057DC026D5819AD262474680EC0566DD0E4D5A48C64DB246B7F44AD
Magika powershell
Reporter smica83
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FreeNFT.bat
Verdict:
Suspicious activity
Analysis date:
2025-11-20 19:55:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f3d8735-399c-4694-ad27-4b57655e6375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38887/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691f72398cf6736ec0afd65b
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Running batch commands
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
Searching for synchronization primitives
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated powershell
Link:
https://www.filescan.io/uploads/691f7232f96b58f0dc7e11bb/reports/9b93e2ed-1dfd-4ced-806d-fb20346423cd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5
Verdict:
Malicious
File Type:
ps1
First seen:
2025-11-20T17:14:00Z UTC
Last seen:
2025-11-20T21:45:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan.Win32.Diztakun.sb HEUR:Trojan.Java.Alien.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Agent.sb Trojan.PowerShell.DefenderDisabler.sb HEUR:Trojan-PSW.MSIL.Coins.gen NetTool.PowerShellGet.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C
Link:
https://opentip.kaspersky.com/50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5/results?tab=lookup
Result
Threat name:
Telegram Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1818125
Signature
Antivirus detection for dropped file
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Disables Windows Defender (via service or powershell)
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Processes Spawned by Java.EXE
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Telegram RAT
Yara detected Telegram Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1818125 Sample: FreeNFT.bat Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 100 api.telegram.org 2->100 102 raw.githubusercontent.com 2->102 104 ipv4.icanhazip.com 2->104 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 138 15 other signatures 2->138 12 cmd.exe 1 2->12         started        signatures3 136 Uses the Telegram API (likely for C&C communication) 100->136 process4 signatures5 160 Suspicious powershell command line found 12->160 162 Wscript starts Powershell (via cmd or directly) 12->162 15 powershell.exe 17 19 12->15         started        19 conhost.exe 12->19         started        process6 dnsIp7 110 raw.githubusercontent.com 185.199.108.133, 443, 49687, 49688 FASTLYUS Netherlands 15->110 86 C:\Users\user\AppData\Local\Temp\filed.jar, Java 15->86 dropped 21 javaw.exe 16 15->21         started        file8 process9 file10 88 C:\Users\user\xD.jar, Zip 21->88 dropped 140 Uses cmd line tools excessively to alter registry or file data 21->140 142 Modifies Windows Defender protection settings 21->142 144 Disables Windows Defender (via service or powershell) 21->144 25 java.exe 19 21->25         started        30 reg.exe 1 1 21->30         started        32 powershell.exe 23 21->32         started        signatures11 process12 dnsIp13 108 api.telegram.org 149.154.167.220, 443, 49692, 49694 TELEGRAMRU United Kingdom 25->108 92 C:\Users\...\Updater8058972686456994176.exe, PE32 25->92 dropped 94 C:\Users\...\Updater1067915207875695228.exe, PE32 25->94 dropped 96 C:\Users\user\...\run4126820515001840064.vbs, ASCII 25->96 dropped 98 C:\Users\...\delete2473758150277455822.bat, DOS 25->98 dropped 148 Uses cmd line tools excessively to alter registry or file data 25->148 150 Modifies Windows Defender protection settings 25->150 152 Disables Windows Defender (via service or powershell) 25->152 34 Updater1067915207875695228.exe 25->34         started        37 Updater8058972686456994176.exe 25->37         started        39 java.exe 25->39         started        47 7 other processes 25->47 154 Disable Task Manager(disabletaskmgr) 30->154 156 Disables the Windows task manager (taskmgr) 30->156 43 conhost.exe 30->43         started        158 Loading BitLocker PowerShell Module 32->158 45 conhost.exe 32->45         started        file14 signatures15 process16 dnsIp17 112 Antivirus detection for dropped file 34->112 114 Multi AV Scanner detection for dropped file 34->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->116 49 WerFault.exe 34->49         started        118 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 37->118 120 Queries memory information (via WMI often done to detect virtual machines) 37->120 51 WerFault.exe 37->51         started        106 ipv4.icanhazip.com 104.16.185.241, 443, 49706 CLOUDFLARENETUS United States 39->106 90 C:\Users\user\...\jna8933506607061324384.dll, PE32 39->90 dropped 122 Tries to harvest and steal browser information (history, passwords, etc) 39->122 53 powershell.exe 39->53         started        55 taskkill.exe 39->55         started        64 5 other processes 39->64 124 Wscript starts Powershell (via cmd or directly) 47->124 126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 47->126 128 Loading BitLocker PowerShell Module 47->128 57 powershell.exe 47->57         started        60 cmd.exe 47->60         started        62 powershell.exe 47->62         started        66 16 other processes 47->66 file18 signatures19 process20 signatures21 68 conhost.exe 53->68         started        70 conhost.exe 55->70         started        146 Loading BitLocker PowerShell Module 57->146 72 conhost.exe 60->72         started        74 timeout.exe 60->74         started        76 conhost.exe 62->76         started        78 conhost.exe 64->78         started        80 conhost.exe 64->80         started        82 2 other processes 64->82 84 11 other processes 66->84 process22
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbqvweh66c2jwboywrs3ohmwmi6nydgxsikkcav3e2bydrdg4t2q._file
Verdict:
malicious
Label(s):
unc_loader_065
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/251120-yndrmags6b/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
ConfuserEx .NET packer
Enumerates processes with tasklist
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Disables Task Manager via registry modification
Disables one or more Microsoft Defender components
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38887/

Comments