MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9
SHA3-384 hash:	930a2b846eef356c001bcbb8b75bddd880b433e7c2f42a2d6ff1275b7022fb18d4559ffd870a2c3dd71755dd04a00f7d
SHA1 hash:	35ef4ac7159d3d704393793af47e870fff6a984a
MD5 hash:	71e4195ca5b50cdf01bab48e91756eae
humanhash:	sad-south-oregon-montana
File name:	mkfwnenbsghgkd.ps1
Download:	download sample
File size:	11'536'461 bytes
First seen:	2025-02-01 00:57:52 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	1536:gVkHsihtk7zD2JO+ZuYuBsw0+843mNZ+LuZbwDD6zyzCEKL3tv4rqNVfB2bRJSU8:kBYynF2TQ7lGHp
Threatray	15 similar samples on MalwareBazaar
TLSH	T13EC6F2A002732BFDF1E9568142A51E084DFEA5AE751435B4F7C2B6AD6C0DDC240FAE27
Magika	powershell
Reporter	JAMESWT_WT
Tags:	ajye-pinkeosemrabo-com coyote mkfwnenbsghgkd pinkeosemrabo-com ps1 semrabo-com

Intelligence

File Origin

# of uploads :

1

# of downloads :

167

Origin country :

IT

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=679d728402140668e2cf0712

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive obfuscated

Link:

https://www.filescan.io/uploads/679d719f414c56eb9503f657/reports/81fc5509-b6b4-476c-a04b-f72d29dc53b9/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9

Result

Verdict:

UNKNOWN

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1604292

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code contains very large strings

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Creates a thread in another existing process (thread injection)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Powershell drops PE file

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kwovns26acbdpkzgyxdceqhgyuforqh6ly7cip42uk6ypvyl4wuq._file

Verdict:

malicious

Label(s):

donut_injector

Similar samples:

0fd542be41273b2709ed1b8b4eb7a50d284a20afbd6a4a0a4f50f482a30435d1

559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9

64b51ed78bf05c711ab4a5e15617cf9a9297009708d2c1a1fb960beae67ed3e6

7571381b745ae5d06f70404bcdbf1e2de4d4d33d8275a7ab847ec48fe669e94b

83c73a2e1d118c2b7b8c634d705e99e583f54d13f22123a03b235c4a8a9c2dd2

9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b

c59c33f8ec544000f8b7037fc2b33ee8e63646581d131f60d3add5d84a033d6e

f75c52684ec2fe9479f4ceb28c3cec36885e304003f02308b5be11cdd08187f3

+ 5 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250201-bbg7ysspcm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/559d56cb5e008237ab26c5c62240e6c50ae8c0fe5e3e243f9aa2bd87d70be5a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample