MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnappyClient


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a
SHA3-384 hash: d6725ae61c3c8091b219ebc76a22b6adca2bef66fbf2ace0a68b5c9bf91332b86aadf2b4ff2afadcfce47a73f8e149a6
SHA1 hash: e866eab46c1213abcd2a79d0a5c2028e17aa9804
MD5 hash: 325c69a21fef3c7307ab2599e2427968
humanhash: xray-enemy-berlin-oranges
File name:019e9484-10e0-7114-b2bc-cc3efc8135dd.ps1
Download: download sample
Signature SnappyClient
Create hunting rule
File size:4'013'269 bytes
First seen:2026-06-05 20:32:31 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:2cKBmBNKAsKGrqSSuKhTGLVJhKIiK1Rp7XpW1SKbWKzzHkXKf1CpK8vb:e
TLSH T1A80691D87AC457E0A929E7EC8247B4CD1744B13E5FFB580D02E548BC3D1AA1766E0CAE
Magika powershell
Reporter aachum
Tags:212-34-155-18 dropped-by-ACRStealer mdprzinwo-xyz ps1 SnappyClient


Avatar
iamaachum
https://xb1amdnf.st-rpl-diff-node.in.net/019e9484-10e0-7114-b2bc-cc3efc8135dd

SnappyClient IOCs:
212.34.155.18:443
mdprzinwo.xyz (45.150.66.187:443)

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Detection(s):
Win.Downloader.Emmenhtal-10044033-0
Create hunting rule

Verdict:
Clean
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a233299f8676ad4d36186a6
Tags:
n/a
Verdict:
Suspicious
Labled as:
PowerShell/Agent.EPQ trojan
Link:
https://www.hybrid-analysis.com/sample/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a
Verdict:
Malicious
File Type:
Script
Detections:
Trojan.PowerShell.Agent.bea
Link:
https://opentip.kaspersky.com/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a/results?tab=lookup
Result
Threat name:
SnappyClient
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923879
Signature
AI detected malicious Powershell script
Contains VNC / remote desktop functionality (version string found)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: RunDLL32 Spawning Explorer
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Yara detected SnappyClient
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923879 Sample: 019e9484-10e0-7114-b2bc-cc3... Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 39 mdprzinwo1.xyz 2->39 41 mdprzinwo.xyz 2->41 43 4 other IPs or domains 2->43 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected SnappyClient 2->59 63 4 other signatures 2->63 8 powershell.exe 16 25 2->8         started        12 rundll32.exe 1 2->12         started        15 rundll32.exe 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 61 Performs DNS queries to domains with low reputation 41->61 process4 dnsIp5 45 xn--b1amdnf.st-rpl-diff-node.in.net 104.21.88.69, 443, 49693 CLOUDFLARENET-CloudflareIncUS Canada 8->45 69 Creates an autostart registry key pointing to binary in C:\Windows 8->69 71 Suspicious execution chain found 8->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 8->73 19 rundll32.exe 1 8->19         started        23 conhost.exe 8->23         started        35 C:\Windows\Temp\~DF7C910033.tmp, PE32 12->35 dropped 75 Sample uses process hollowing technique 12->75 25 explorer.exe 1 12->25         started        37 C:\Windows\Temp\~DF16B70EFD.tmp, PE32 15->37 dropped 27 explorer.exe 1 15->27         started        47 127.0.0.1 unknown unknown 17->47 file6 signatures7 process8 file9 33 C:\Windows\Temp\~DFE0C26D7B.tmp, PE32 19->33 dropped 65 Sample uses process hollowing technique 19->65 29 explorer.exe 5 19->29         started        67 Contains VNC / remote desktop functionality (version string found) 25->67 signatures10 process11 dnsIp12 49 212.34.155.18, 443, 49696, 49707 VDSINAAE Netherlands 29->49 51 mdprzinwo.xyz 45.150.66.187, 443, 49698, 49699 GCS-ASGB United Kingdom 29->51 53 example.com 104.20.23.154, 49697, 49702, 49703 CLOUDFLARENET-CloudflareIncUS Canada 29->53 77 System process connects to network (likely due to code injection or exploit) 29->77 79 Found evasive API chain (may stop execution after checking mutex) 29->79 81 Contains VNC / remote desktop functionality (version string found) 29->81 signatures13
Score:
91%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Agent
Link:
https://tip.neiki.dev/file/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozv43zo52oxg4j2yy5evhhc4lwb2d6fgilfowc6bxqwhnniajz5a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260605-zb245aez2n/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnappyClient

PowerShell (PS) ps1 766bcde5ddd3ae6e2758c749539c5c5d83a1f8a642caeb0bc1bc2c76b5004e7a

(this sample)

  
Link
https://tria.ge/260605-y6h43aex9p/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download

Comments