MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SharpHide


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205
SHA3-384 hash: e332f6ef53168ac9de78c4bd6edbc726ead4f84477d6f8d9708217b42dec264da9ed86aa38a521944c524bb479206cb8
SHA1 hash: ff56e949491e56915ba7429a27e3a1978014e7f8
MD5 hash: c8d3f5b0736db4a322dbdbb2e2e294e0
humanhash: tennis-equal-november-connecticut
File name:a.ps1
Download: download sample
Signature SharpHide
Create hunting rule
File size:114'639 bytes
First seen:2025-01-31 06:15:09 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:dVdGPFm4Zm4FdI8+T+oW+ZS2TVQ0f7WGidO4lzLbnixeWaspZMV1Wos9+Pbs4Sbx:dVdwg+m4FdUT+oW+ZS2TVQ0f7WGidOeo
TLSH T1D8B34A321202BC4F5FBF2E49F80429A41CAC7D77AB49C55CFAC906ED91A9520DE39DB4
Magika powershell
Reporter JAMESWT_WT
Tags:185-7-214-54 booking ps1 SharpHide Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.5131.17100.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679c29426d96a8d7e4cd79e6
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex evasive lolbin net obfuscated regsvcs
Link:
https://www.filescan.io/uploads/679c6aab414c56eb95035bf6/reports/1a4bba2c-e8fc-400c-badb-8f7e79c00e30/overview
Verdict:
Suspicious
Labled as:
Trojan[Dropper]/Agent.a
Link:
https://www.hybrid-analysis.com/sample/7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
SharpHide
Create hunting rule
Detection:
malicious
Classification:
adwa.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1603643
Signature
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected SharpHide
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1603643 Sample: a.ps1 Startdate: 31/01/2025 Architecture: WINDOWS Score: 68 17 Yara detected SharpHide 2->17 19 Yara detected Powershell download and execute 2->19 21 Joe Sandbox ML detected suspicious sample 2->21 6 powershell.exe 21 2->6         started        process3 signatures4 23 Writes to foreign memory regions 6->23 25 Injects a PE file into a foreign processes 6->25 9 RegSvcs.exe 1 1 6->9         started        11 conhost.exe 6->11         started        13 RegSvcs.exe 6->13         started        15 RegSvcs.exe 6->15         started        process5
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyakwt6w7oqmha2yrf3zkrc356mquvv5mbdhdme2spdxmp4meicq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250131-g1f9vaypbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SharpHide

PowerShell (PS) ps1 7600ab4fd6fba0c38358897795445bef990a56bd604671b09a93c7763f8c2205

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3412359/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3420962/

Comments