MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PowershellEmpire

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df
SHA3-384 hash:	89057947fa3887c9c3f1d19e2916db56987af337b0ce7e56d81f167ff3bf46337a4f68ea5268b9e35e7a0fd3eb33059b
SHA1 hash:	9f926b854679a79b14b06c81fd411358a0178d06
MD5 hash:	dad12ba47ae764eccd8ad858b9d6df16
humanhash:	red-queen-mockingbird-river
File name:	lazagne.bat
Download:	download sample
Signature	PowershellEmpire Create hunting rule
File size:	5'353 bytes
First seen:	2025-08-17 16:29:56 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	96:BsTrm42kSZx4xf9iU4PGyG6yl1nh90Y6ZhchjEL9icThSqub7f0E4CA6+Gi+vYHu:BqzWgHipPFG66nYB/HL95qMnQi4iAj
TLSH	T1E1B101BECE31F8D8416D33D09A962D5B21D89657D3B39E94DA040CFA3920309FF2969C
Magika	powershell
Reporter	smica83
Tags:	bat PowershellEmpire

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lazagne.bat

Verdict:

Malicious activity

Analysis date:

2025-08-17 16:31:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/55f5d468-b537-40cc-b8da-55e89654f82e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21837/

Detection(s):

SecuriteInfo.com.PowerShell.Exec-7.UNOFFICIAL

Sanesecurity.Malware.28888.Heur.BadBat.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a203c1c2f5296a1a27eb36

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive obfuscated powershell powershell

Link:

https://www.filescan.io/uploads/68a203bfa4bdac9f5b9a8faf/reports/5a662879-bd15-4634-b1a0-88dd6b50f254/overview

Verdict:

Malicious

Labled as:

BZC.PZQ.Boxter.791

Link:

https://www.hybrid-analysis.com/sample/5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df

Result

Threat name:

Empire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1758848

Signature

Antivirus / Scanner detection for submitted sample

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: HackTool - Empire PowerShell Launch Parameters

Sigma detected: Net WebClient Casing Anomalies

Sigma detected: Suspicious PowerShell Parameter Substring

Yara detected Empire

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df/

Verdict:

Malicious

Threat:

HEUR:Trojan.PowerShell

Link:

https://tip.neiki.dev/file/5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df

Threat name:

Script-PowerShell.Hacktool.Empire

Status:

Malicious

First seen:

2025-02-06 14:18:08 UTC

File Type:

Text (Batch)

AV detection:

12 of 24 (50.00%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l26hp37maentj5mmpnbbgb7aaj4tc5hyswywugwkuzpqux4tsppq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion execution

Link:

https://tria.ge/reports/250817-tz9k8agj2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Modifies trusted root certificate store through registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ebc77efec011b34f58c7b421307e002793174f895b16a1acaa65f0a5f9393df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PowerShell_Susp_Parameter_Combo_RID336F Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell invocation with suspicious parameters
Reference:	https://goo.gl/uAic1X

Rule name:	SUSP_PS1_JAB_Pattern_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:	Internal Research

Rule name:	WIN_FileFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:	FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21837/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample