MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5
SHA3-384 hash: 1b4a372507559a6fb1155abb62de8d939d9673bc579657245dbd9c04ecd7ffdec73c78953351dd7c195b888b132d674e
SHA1 hash: 79d5c98f22e7d2a395beb473ac9a91fdd20a2204
MD5 hash: feff3a4229551475cdb5e005b22372eb
humanhash: delta-johnny-asparagus-eight
File name:654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5.ps1
Download: download sample
File size:86'520 bytes
First seen:2024-12-18 07:32:34 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:CY8PafeOY+fSwGwfH5s9cTIO5MTe4ydgWHLM8DIVI96igQ8n56L83NBXOni328b/:VDY+KK5sCTIO5MTe4ydXHLM8DIVI96i+
TLSH T1B1833A330203FC4F9B7F2E85E9043E911C68247F9B498458F9CE06A955EA520EE7DEB5
Magika powershell
Reporter JAMESWT_WT
Tags:92-255-57-155 booking ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.15173.14085.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67627bb48fb73f13afd1524a
Tags:
virus spawn sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex fingerprint ipconfig lolbin net obfuscated powershell regsvcs strelastealer
Link:
https://www.filescan.io/uploads/67627aae41118fded02dfcc7/reports/d68da04e-9413-485c-8cdc-c12aec354ee6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1577175
Signature
AI detected suspicious sample
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1577175 Sample: dmoEBtXht0.ps1 Startdate: 18/12/2024 Architecture: WINDOWS Score: 64 17 Multi AV Scanner detection for submitted file 2->17 19 AI detected suspicious sample 2->19 6 powershell.exe 21 2->6         started        process3 signatures4 21 Uses ipconfig to lookup or modify the Windows network settings 6->21 23 Writes to foreign memory regions 6->23 25 Injects a PE file into a foreign processes 6->25 9 RegSvcs.exe 1 1 6->9         started        11 conhost.exe 6->11         started        13 ipconfig.exe 1 6->13         started        15 RegSvcs.exe 6->15         started        process5
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/654c41a01a031bf8370a34ae9021c9b4beb1fd39baebf7660961a34c07c28cf5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-12-06 08:43:54 UTC
File Type:
Text
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvgedia2amn7qnykgsxjaiojws7ld7jzxlv7ozqjmgruyb6crt2q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/241218-jdhv9s1kem/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments