MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SharpHide


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7
SHA3-384 hash: 79e24686da74704d8ad91ab47028e0259d5665df2430422a8eec066cbbda0b94c01329e8f6b58f1367a05d3257418399
SHA1 hash: 358faddc9c4971af274923185cfba9f0d0a06c09
MD5 hash: 1a236b9ea5583203400ae2a9b74f0f31
humanhash: orange-indigo-lima-oklahoma
File name:1.ps1
Download: download sample
Signature SharpHide
Create hunting rule
File size:163'724 bytes
First seen:2025-01-18 08:59:18 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:TTieNC3EX6syh4ciFPTdTM2JiW0tDCfQHsQIOGL81wk5q+l5QhYUSX1AcbdxXSa+:T3NC3EKsyh4ciFTdTM2JiW0tDCfQHsQm
TLSH T198F32B711107BC8E5B7F1F89E84029A50C9C797B7B18C198FEC906A9A1AB520DF7CDB4
Magika powershell
Reporter JAMESWT_WT
Tags:92-255-57-155 booking ps1 SharpHide

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.9446.29445.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678b6ea0aa9c8e7858df79c1
Tags:
virus msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex evasive net obfuscated
Link:
https://www.filescan.io/uploads/678b6d9fba38081b4a1b1fbd/reports/21dba106-a699-4c44-a563-0f0cb115faf5/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
SharpHide
Create hunting rule
Detection:
malicious
Classification:
adwa.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1594173
Signature
AI detected suspicious sample
Injects a PE file into a foreign processes
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected SharpHide
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1594173 Sample: 1.ps1 Startdate: 18/01/2025 Architecture: WINDOWS Score: 68 13 Yara detected SharpHide 2->13 15 Yara detected Powershell download and execute 2->15 17 AI detected suspicious sample 2->17 6 powershell.exe 21 2->6         started        process3 signatures4 19 Writes to foreign memory regions 6->19 21 Injects a PE file into a foreign processes 6->21 9 RegSvcs.exe 1 1 6->9         started        11 conhost.exe 6->11         started        process5
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7/
Threat name:
Script-PowerShell.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-01-18 08:59:11 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lewgxtusvct6qbjo6dvwcoj6gjyagmhp7mobsk36t4idddivhtdq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250118-kybhcszkcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SharpHide

PowerShell (PS) ps1 592c6bce92a8a7e8052ef0eb61393e32700330effb1c192b7e9f10318d153cc7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3332613/
  
Delivery method
Distributed via web download

Comments