MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CountLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c
SHA3-384 hash: 6a5d41763c2ae3bcd9eb1b4d29e7f3595a24960432b592b030bb967aa63b7ab15b0b9028de1e7e1e86e0a67fc5a4e296
SHA1 hash: 331d23f5eb6e8be04331fa75ac8b9152b3077af7
MD5 hash: cb364083c1dbe2d7715477e3cb61977e
humanhash: cola-lake-maine-november
File name:image.ps1
Download: download sample
Signature CountLoader
Create hunting rule
File size:3'300 bytes
First seen:2026-06-09 15:20:03 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:HDNv35j6MuPwiAIdf35wX5Rz5yCT2iAdK53f9Qll2Rk0dBYRgvKf:H2Hw2f3kLzTT24dleJDR9
Threatray 20 similar samples on MalwareBazaar
TLSH T1C361402AECC39CA35213D6D3C2F2D62CBF7994DC002BAE85F9ACC45603A19195359F2D
Magika powershell
Reporter aachum
Tags:CountLoader dropped-by-ACRStealer ps1 vdsina-vg


Avatar
iamaachum
https://vdsina.vg/image.jpeg

CountLoader C2: vdsina.vg

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a282d0da15110463ee44ccf
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 lolbin mshta obfuscated
Link:
https://www.filescan.io/uploads/6a282f4e1f652d686572be95/reports/b300832f-c0d6-4430-9604-cd1a353e8108/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c
Verdict:
Clean
File Type:
Link:
https://opentip.kaspersky.com/7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1925246
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Early bird code injection technique detected
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to access browser extension known for cryptocurrency wallets
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1925246 Sample: image.ps1 Startdate: 09/06/2026 Architecture: WINDOWS Score: 100 53 poxzxin.cyou 2->53 55 decrnoj.club 2->55 57 4 other IPs or domains 2->57 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 10 other signatures 2->85 10 powershell.exe 12 2->10         started        13 powershell.exe 21 2->13         started        15 taskkill.exe 1 2->15         started        signatures3 process4 signatures5 89 Suspicious execution chain found 10->89 17 mshta.exe 16 10->17         started        20 mshta.exe 16 13->20         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        process6 dnsIp7 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->69 71 Tries to access browser extension known for cryptocurrency wallets 17->71 73 Creates processes via WMI 17->73 75 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->75 28 package.exe 17->28         started        32 curl.exe 2 17->32         started        35 taskkill.exe 17->35         started        37 WmiPrvSE.exe 17->37         started        59 vdsina.vg 104.248.198.130, 443, 49688, 49692 DIGITALOCEAN-ASN-DigitalOceanLLCUS Netherlands 20->59 51 C:\...\Marketing_Data_Archive_4797[1].rar, HTML 20->51 dropped 77 Writes or reads registry keys via WMI 20->77 file8 signatures9 process10 dnsIp11 63 google.com 142.251.45.78, 443, 49700 GOOGLE-GoogleLLCUS United States 28->63 91 Multi AV Scanner detection for dropped file 28->91 93 Early bird code injection technique detected 28->93 95 Writes to foreign memory regions 28->95 99 2 other signatures 28->99 39 Dism.exe 28->39         started        65 immortal-service.cc 45.153.34.55, 443, 49699 PFCLOUDPfcloudUGDE Netherlands 32->65 67 127.0.0.1 unknown unknown 32->67 49 C:\Users\user\package.exe, PE32 32->49 dropped 97 Drops PE files to the user root directory 32->97 43 conhost.exe 32->43         started        45 conhost.exe 35->45         started        file12 signatures13 process14 dnsIp15 61 pomflgf.vu 2.26.74.89, 80 GREATFLOWERIL Finland 39->61 87 Unusual module load detection (module proxying) 39->87 47 conhost.exe 39->47         started        signatures16 process17
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4ileu7ol7i452r2w6aklv2xw7235lbcinm4bhukdofgtnuj7ywa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5
CountLoader
2762f3e0a56d62e70157c398626856befead49f0926ba921f478bb599f10e2f6
CountLoader
4162f73e003955984db654daa5e75cae8dc1f0446ff8f137e8b9ef4064b8778e
CountLoader
94189e4d1e03f3afac858be576cc0c1b0ab000dbccb8dcf988fb58059b5a12ff
CountLoader
9d176e2a1d21e4b368cd06adfb0f38629781d4b7ca6ed7b738efb0745e77fa22
CountLoader
aa95b0b984dce56dcf8d9e9fabaa6a251b4a80cd7e344b3740d5934596f2e0fa
CountLoader
e509431663ed1839770e56a17120afcb1692e25a1bf6633ba46c6e0a96155624
CountLoader
error
CountLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence spyware
Link:
https://tria.ge/reports/260609-sq5egacz2y/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Badlisted process makes network request
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
Dropper Extraction:
https://vdsina.vg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CountLoader

PowerShell (PS) ps1 7710b253ee5fd1ceea3ab780a5d757b7f5beac224359c09e8a1b8a69b689fe2c

(this sample)

CountLoader

HTML Application (hta) hta 286e41a4a73bb6855027eaef518f4f47fdcbbb211bbdc5900e2561ececeaaf09

  
Link
https://tria.ge/260609-sglk1adt4p/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
  
Dropping
SHA256 286e41a4a73bb6855027eaef518f4f47fdcbbb211bbdc5900e2561ececeaaf09
  
Dropping
MD5 72a04dd1bd445564c769ca5e1eb291f0

Comments