MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0
SHA3-384 hash: 9b0c6d63c70fe4f199b67623cdefce7ffdbe6927cc1c04c21a4ea4e00d90fc361dc86ad86bdbcb064a9835efbb86d226
SHA1 hash: 467d5d213bd6f827aab35d5404eb01792bf19213
MD5 hash: 73f9f8f8c9738f49854820688beae627
humanhash: winner-stairway-princess-nineteen
File name:sdf.hta
Download: download sample
File size:15'079 bytes
First seen:2025-04-15 07:42:23 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3PCAOdNN/HwrdNNgJHwB47wPnjRftdEpy7zUA+UZJbksLDMdNNhTdNNpHw4dNNd+:/CxdYrdjWMPjR0KQNUjbjMdRTdW4dN+
TLSH T11F620D609C34EEA093E387525DCDE8F8D54D5F1B800149E7709C58A7D3A2A2894E57B3
Magika html
Reporter abuse_ch
Tags:hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fe17fc1dba888a93d4493a
Tags:
obfuscate shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0/results/dashboard
Payload URLs
URL
File name
http://172.245.191.88/620/csrss.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
opendir opendir powershell
Link:
https://www.filescan.io/uploads/67fe0e09e9c1e25797998307/reports/af7715e2-58b3-4637-b1b5-b5bd85d883d0/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.A9985976
Link:
https://www.hybrid-analysis.com/sample/8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1665127
Signature
Detected Cobalt Strike Beacon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1665127 Sample: sdf.hta Startdate: 15/04/2025 Architecture: WINDOWS Score: 92 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Powershell decode and execute 2->40 42 Sigma detected: Suspicious MSHTA Child Process 2->42 44 2 other signatures 2->44 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 48 Suspicious command line found 9->48 50 PowerShell case anomaly found 9->50 15 cmd.exe 1 9->15         started        36 127.0.0.1 unknown unknown 12->36 signatures5 process6 signatures7 52 Detected Cobalt Strike Beacon 15->52 54 Suspicious powershell command line found 15->54 56 PowerShell case anomaly found 15->56 18 powershell.exe 42 15->18         started        23 conhost.exe 15->23         started        process8 dnsIp9 34 172.245.191.88, 49714, 80 AS-COLOCROSSINGUS United States 18->34 30 C:\Users\user\AppData\...\l1pl2equ.cmdline, Unicode 18->30 dropped 46 Loading BitLocker PowerShell Module 18->46 25 csc.exe 3 18->25         started        file10 signatures11 process12 file13 32 C:\Users\user\AppData\Local\...\l1pl2equ.dll, PE32 25->32 dropped 28 cvtres.exe 1 25->28         started        process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0/
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-04-15 07:43:09 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qm225jm7yd462rkc3ojcd3t6frpknv67g37ddot74bf77b4hc6qa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250415-jkas8szns4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HTML Application (hta) hta 8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3506896/
  
Delivery method
Distributed via web download

Comments