MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STXRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5
SHA3-384 hash: 25ce1d4f20baea3a3601defab727b1cb67b5e6073917ea24fc6682e5feaf64f46d4f70fb136ea4f4938e045489a152d3
SHA1 hash: b6e95572a2deddddd38ced40d358b51efff46f3a
MD5 hash: 073607628f8428222d381c1f53d37da4
humanhash: pip-autumn-arkansas-green
File name:GoogleDriveSetup.exe.js
Download: download sample
Signature STXRAT
Create hunting rule
File size:8'127 bytes
First seen:2026-04-17 14:14:09 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:keHPunGa4npoxGfQf7U5BRcUqwPCaHGHpz:nHrpoxGfQfg5r7qaCJHpz
TLSH T1A4F1820815ABF28EFFA5A06A8DBBC02CF61D25C3CC8677CA76CE51CAD35074BE952154
Magika javascript
Reporter abuse_ch
Tags:js STXRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dfc65045787c53e53a030e
Tags:
shell sage remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 clip cmd evasive lolbin masquerade obfuscated packed powershell powershell repaired
Link:
https://www.filescan.io/uploads/69e240539124ebc087551e03/reports/9ed511a5-6416-4617-8448-9e99b258227f/overview
Verdict:
Malicious
Labled as:
JS/Agent
Link:
https://www.hybrid-analysis.com/sample/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5
Verdict:
Malicious
File Type:
js
First seen:
2025-12-08T14:36:00Z UTC
Last seen:
2026-04-17T12:51:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.SAgent.gen
Link:
https://opentip.kaspersky.com/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1900179
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found potential malicious scriptlet (likely CVE-2017-8570)
HTML page adds supicious text to clipboard
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Unusual module load detection (module proxying)
Uses powershell cmdlets to delay payload execution
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1900179 Sample: GoogleDriveSetup.exe.js Startdate: 17/04/2026 Architecture: WINDOWS Score: 100 112 Malicious sample detected (through community Yara rule) 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 Sigma detected: Powershell download payload from hardcoded c2 list 2->116 118 13 other signatures 2->118 9 wscript.exe 14 2->9         started        13 powershell.exe 2->13         started        15 powershell.exe 2->15         started        17 28 other processes 2->17 process3 file4 92 C:\Users\user\AppData\Local\Temp\~clip.txt, Unicode 9->92 dropped 138 JScript performs obfuscated calls to suspicious functions 9->138 140 Wscript starts Powershell (via cmd or directly) 9->140 142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->142 148 2 other signatures 9->148 19 powershell.exe 17 35 9->19         started        24 cmd.exe 1 9->24         started        26 chrome.exe 10 9->26         started        144 Suspicious powershell command line found 13->144 146 Uses powershell cmdlets to delay payload execution 13->146 28 powershell.exe 13->28         started        36 2 other processes 13->36 30 MSBuild.exe 15->30         started        32 conhost.exe 15->32         started        34 csc.exe 17->34         started        38 52 other processes 17->38 signatures5 process6 dnsIp7 96 95.216.51.236 HETZNER-ASDE Germany 19->96 98 172.66.47.152 CLOUDFLARENETUS United States 19->98 72 C:\Users\user\AppData\...\tbr5yg23.cmdline, Unicode 19->72 dropped 74 C:\Users\user\AppData\Local\...\autorun.ps1, ASCII 19->74 dropped 76 C:\Users\user\AppData\Local\...\c_3791.proj, ASCII 19->76 dropped 78 C:\Users\user\AppData\Local\...\ActiveX.sct, XML 19->78 dropped 120 Found potential malicious scriptlet (likely CVE-2017-8570) 19->120 122 Creates autostart registry keys with suspicious values (likely registry only malware) 19->122 124 Creates autostart registry keys with suspicious names 19->124 136 2 other signatures 19->136 40 csc.exe 19->40         started        57 2 other processes 19->57 126 Suspicious powershell command line found 24->126 128 Wscript starts Powershell (via cmd or directly) 24->128 130 Uses powershell cmdlets to delay payload execution 24->130 59 3 other processes 24->59 100 192.168.2.4 unknown unknown 26->100 102 192.168.2.5 unknown unknown 26->102 104 192.168.2.6 unknown unknown 26->104 80 C:\Users\...\Unconfirmed 371747.crdownload, PE32+ 26->80 dropped 43 chrome.exe 26->43         started        46 MSBuild.exe 28->46         started        49 conhost.exe 28->49         started        132 Unusual module load detection (module proxying) 30->132 134 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->134 51 csc.exe 30->51         started        82 C:\Users\user\AppData\Local\...\5zahufpv.dll, PE32 34->82 dropped 53 cvtres.exe 34->53         started        84 C:\Users\user\AppData\Local\...\5v1xz222.dll, PE32 38->84 dropped 55 cvtres.exe 38->55         started        file8 signatures9 process10 dnsIp11 86 C:\Users\user\AppData\Local\...\tbr5yg23.dll, PE32 40->86 dropped 61 cvtres.exe 40->61         started        106 142.250.217.142 GOOGLEUS United States 43->106 108 142.250.65.78 GOOGLEUS United States 43->108 110 7 other IPs or domains 43->110 150 Tries to detect sandboxes / dynamic malware analysis system (registry check) 46->150 63 csc.exe 46->63         started        88 C:\Users\user\AppData\Local\...\2arpgvzc.dll, PE32 51->88 dropped 66 cvtres.exe 51->66         started        90 C:\Users\user\AppData\Local\...\kaxgfmcu.dll, PE32 57->90 dropped 68 cvtres.exe 57->68         started        file12 signatures13 process14 file15 94 C:\Users\user\AppData\Local\...\g5o0ww2n.dll, PE32 63->94 dropped 70 cvtres.exe 63->70         started        process16
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-10 08:50:56 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phnnvbwfcm2lfkmdost5g55f6yu4v2xih43tnvwv3uexegfwp32q._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/260417-rkdtwsby2w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Suspicious clipboard content.
Badlisted process makes network request
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79dada86c51334b2a98374a7d377a5f629caeae83f3736d6d5dd097218b67ef5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments