MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40
SHA3-384 hash: 64fd98f4424895340fccdb98c48bb97cd2eab09c4839c4e40a93b2ed7cbe295c5709513e29c5b001c6a9e2c0dfb07002
SHA1 hash: 51384d693daf6a4561a1706303f3306d2438a433
MD5 hash: 509d24d2109842a92abccec16bd5d8f2
humanhash: kilo-london-tango-oranges
File name:hvh.bat
Download: download sample
File size:6'288'828 bytes
First seen:2025-02-25 11:39:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:LKLul1XcGgIW75mdB8JbSi2gx+aRXDLHBgnMWCvLs5hgdTTYKDuaZfHbbZmzmL3M:j
Threatray 163 similar samples on MalwareBazaar
TLSH T1945633B5BBF82D6DDA9A673F81736B0E73D31E408463B2DF516A3E86018BB152523C05
Magika powershell
Reporter JAMESWT_WT
Tags:149-50-97-147 bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hvh.bat
Verdict:
No threats detected
Analysis date:
2025-01-26 00:11:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89705863-0777-454c-ba77-ecf294444809

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdac60a0fd713c335cb6fb
Tags:
vmdetect xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/67bdac273afc3763bec5bafa/reports/a94c8fad-069d-495e-8950-09441f64b4c1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1623639
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623639 Sample: hvh.bat Startdate: 25/02/2025 Architecture: WINDOWS Score: 100 40 ipwho.is 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 .NET source code references suspicious native API functions 2->50 52 3 other signatures 2->52 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 62 Suspicious powershell command line found 9->62 12 powershell.exe 29 31 9->12         started        16 powershell.exe 15 9->16         started        18 conhost.exe 9->18         started        20 cmd.exe 1 9->20         started        process6 dnsIp7 42 149.50.97.147, 4782, 49893, 49946 COGENT-174US United States 12->42 44 ipwho.is 195.201.57.90, 443, 49905 HETZNER-ASDE Germany 12->44 64 Writes to foreign memory regions 12->64 66 Modifies the context of a thread in another process (thread injection) 12->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->68 74 3 other signatures 12->74 22 winlogon.exe 12->22 injected 25 schtasks.exe 12->25         started        70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 16->72 27 findstr.exe 1 16->27         started        signatures8 process9 signatures10 54 Injects code into the Windows Explorer (explorer.exe) 22->54 56 Contains functionality to inject code into remote processes 22->56 58 Writes to foreign memory regions 22->58 60 3 other signatures 22->60 29 svchost.exe 22->29 injected 32 lsass.exe 22->32 injected 34 OfficeClickToRun.exe 22->34 injected 38 32 other processes 22->38 36 conhost.exe 25->36         started        process11 signatures12 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->76 78 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 29->78 80 Queries temperature or sensor information (via WMI often done to detect virtual machines) 29->80 82 Writes to foreign memory regions 32->82 84 Creates files in the system32 config directory 34->84
Score:
86%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3jbrk3glm2un4om6xrocxqb5adyskpyh56dh5qrjqrczqkjhvaa._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
4e722641d45ec7ae5032e827a6b311a82a0e0551865caf00c19e7eab85487f54
ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9
d829b8ffdb11832632e9799419d78b649481d7b9b261ec587c6fc0fc20a76eee
ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
e12902c413b76be7f75f527a84c41823e4b96417495c264dc09e77761a105931
e27fbbd008427ab109877123d328bac58fabbf82febee4a36bf8412c28da73a4
e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
error
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250225-nsx1yswkx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments