MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
SHA3-384 hash: 6450add89bde70f9b0000325996955e4f4f234c6328e5f12e7cea5ae740c112172ffa90603e70cc4821f9263c01830bd
SHA1 hash: 31acdff6710ff1e5f0b310fc42c2005a972da7b2
MD5 hash: 1a00387c696fe3b7ea9602c4cb91f14e
humanhash: alpha-uniform-carpet-blue
File name:Themes.js
Download: download sample
Signature Kimsuky
Create hunting rule
File size:269 bytes
First seen:2025-09-01 11:01:46 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6:ufTcpVRMSPP3vXv8Hf7cg/oNtS/fSjAFEDNjL7HTPQXATAkE4JH:ufTIMSn3/vMf72S/asFK37zYQTAN4N
TLSH T1C4D097288856F0E9C40ABBC2DA308A409185F0D1372AECEF8348CDF8002A75A7080E8F
Magika javascript
Reporter smica83
Tags:apt js Kimsuky medianewsonline-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b57d54eb163e0ec183ff59
Tags:
spawn small hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68b57d2839a6221faa789927/reports/324f1e13-b6a6-471d-845a-db2163c67870/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
Verdict:
Malicious
File Type:
js
First seen:
2025-09-01T07:23:00Z UTC
Last seen:
2025-09-01T07:23:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.SLoad.gen Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.JS.SDrop.sb Trojan-Downloader.JS.SLoad.sb
Link:
https://opentip.kaspersky.com/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1768887
Signature
Gathers system information via systeminfo
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768887 Sample: Themes.js Startdate: 01/09/2025 Architecture: WINDOWS Score: 96 49 iuh234.medianewsonline.com 2->49 53 Multi AV Scanner detection for submitted file 2->53 55 JavaScript source code contains functionality to generate code involving HTTP requests or file downloads 2->55 57 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->57 59 3 other signatures 2->59 9 wscript.exe 2 15 2->9         started        signatures3 process4 dnsIp5 51 iuh234.medianewsonline.com 185.176.43.108, 49714, 49715, 49718 ZETTA-ASBG Bulgaria 9->51 63 System process connects to network (likely due to code injection or exploit) 9->63 65 JScript performs obfuscated calls to suspicious functions 9->65 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->67 69 Gathers system information via systeminfo 9->69 13 cmd.exe 2 9->13         started        16 cmd.exe 2 9->16         started        18 cmd.exe 2 9->18         started        20 4 other processes 9->20 signatures6 process7 file8 43 C:\Users\user\AppData\...\TempradD312F.tmp, ASCII 13->43 dropped 22 systeminfo.exe 2 1 13->22         started        25 conhost.exe 13->25         started        45 C:\Users\user\AppData\...\Temprad34101.tmp, ASCII 16->45 dropped 27 conhost.exe 16->27         started        29 tasklist.exe 1 16->29         started        47 C:\Users\user\AppData\...\Temprad7B3ED.tmp, ASCII 18->47 dropped 31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 20->35         started        37 conhost.exe 20->37         started        39 7 other processes 20->39 process9 signatures10 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->61 41 WmiPrvSE.exe 22->41         started        process11
Score:
55%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
Threat name:
Script.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-09-01 11:02:38 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfwnbuyp4a26rpq53hlyyh3rvd6a4ldfhujrrlzgyulvqm44u26q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250901-m41esazsfz/
Behaviour
Gathers system information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Enumerates processes with tasklist
Checks computer location settings
Reads user/profile data of web browsers
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments