MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Efimer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50
SHA3-384 hash: 8ae2738ab0fdfee30ffccb545b791999e1df0d850716df8131088aad2495e6035d007d5c64e676840c934def7432feba
SHA1 hash: 0860a10f1caabd73348bdc19f559726220cc321d
MD5 hash: 82bd884c6cd400320f32e0dbe875a15f
humanhash: island-potato-spring-lactose
File name:btdlg.js
Download: download sample
Signature Efimer
Create hunting rule
File size:34'034 bytes
First seen:2025-08-05 14:57:22 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:1JKvKT48xGouIdQQFDPefp7nTwRr3fTKqxLVw7H7:U8xGLIdocLKqxGv
TLSH T139E28C986E5918CE3A2193BF3331D7ECE75CBA79BE4648C76C40092476098B1D9028FF
Magika javascript
Reporter aachum
Tags:cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad Efimer js Tor


Avatar
iamaachum
https://onhoneycomb.com/?tv=3361050874

C2: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
CZ CZ
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68921b8111d7f9b979e5aba5
Tags:
spawn virus sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68921c11397fd3ce6f9dbc5c/reports/ecb5a423-6098-4203-886a-661fe14a3121/overview
Verdict:
Malicious
Labled as:
Trojan.JS.Agent.JS
Link:
https://www.hybrid-analysis.com/sample/827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1750599
Signature
Found Tor onion address
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Potential obfuscated javascript found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50/
Verdict:
Malicious
Threat:
HEUR:Trojan-Spy.Script.Efimer
Link:
https://tip.neiki.dev/file/827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50
Threat name:
Script-JS.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-07-19 23:44:00 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 38 (28.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qj555h2du6o2njrc6uv7kva2knpbnvgroghemjqsndkqi6zj3via._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution
Link:
https://tria.ge/reports/250805-sccgjawqv3/
Behaviour
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Efimer

zip 5f24d19a9518c0c33a7c5981e94b6f59a60e7e8475511fe4aa5901555136b703

Efimer

zip 8ab9b30fd54bd193ff8cea63ae76a65b28dc66b2be08e86fe33d608a76b84a1b

Efimer

Java Script (JS) js 827bde9f43a79da6a622f52bf5541a535e16d4d1718e46261268d5047b29dd50

(this sample)

  
Link
https://tria.ge/250805-r8m3gawpz9/behavioral2
  
Dropped by
SHA256 8ab9b30fd54bd193ff8cea63ae76a65b28dc66b2be08e86fe33d608a76b84a1b
  
Delivery method
Distributed via web download
  
Dropped by
MD5 f8230acf56d933ef898d61d46a3bcba6

Comments