MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c
SHA3-384 hash: 272df98b40dd5b46c463ac67e662cebf9a50cf7cc875aa0628ba990ae22f6bb170d2a6213080da9265105c54124539e0
SHA1 hash: 56ddd5a2d53e83ea7452468aca6809267ceaffb6
MD5 hash: 7ec177dca6b10005dd30fd14356151ae
humanhash: skylark-five-whiskey-mars
File name:D210088211888210221000-2210011.js
Download: download sample
File size:41'968 bytes
First seen:2026-06-05 08:37:05 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:onUTReTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTVTgMR19llFgbDiP61r:8gRKKKKKKKKKKKKKKKKKKRgMRf/Fg/
TLSH T173139816358FCB1871A2468A46AF0B750B6F795F1FBF40C8008DEAC98FE35215C977A6
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:js

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.26866.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a21c0af57b7bf261d60e40b
Tags:
virus shell blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated powershell powershell repaired
Link:
https://www.filescan.io/uploads/6a228aca46e44aecc0d1082c/reports/474e2c4d-991c-427d-b1da-8e3666c1724f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c
Verdict:
Malicious
File Type:
js
First seen:
2026-05-19T14:01:00Z UTC
Last seen:
2026-06-04T05:39:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Generic
Link:
https://opentip.kaspersky.com/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923496
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Disables Windows Defender (via service or powershell)
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923496 Sample: D210088211888210221000-2210011.js Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 75 catalogo.castrouria.com 2->75 77 andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br 2->77 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 11 other signatures 2->89 11 wscript.exe 1 1 2->11         started        14 wscript.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 117 JScript performs obfuscated calls to suspicious functions 11->117 119 Suspicious powershell command line found 11->119 121 Wscript starts Powershell (via cmd or directly) 11->121 125 3 other signatures 11->125 19 powershell.exe 17 11->19         started        123 WScript reads language and country specific registry keys (likely country aware script) 14->123 23 powershell.exe 14->23         started        73 127.0.0.1 unknown unknown 16->73 signatures6 process7 file8 65 C:\Users\Public\hsfrk.ps1, Unicode 19->65 dropped 91 Self deletion via cmd or bat file 19->91 93 Uses ipconfig to lookup or modify the Windows network settings 19->93 95 Modifies Windows Defender protection settings 19->95 97 4 other signatures 19->97 25 powershell.exe 14 18 19->25         started        29 conhost.exe 19->29         started        31 powershell.exe 23->31         started        33 conhost.exe 23->33         started        signatures9 process10 dnsIp11 81 andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br 104.18.42.56, 443, 49688, 49697 CLOUDFLARENET-CloudflareIncUS Canada 25->81 67 C:\Users\Public\vthpg_01.ps1, Unicode 25->67 dropped 35 powershell.exe 15 25->35         started        39 powershell.exe 31->39         started        file12 process13 dnsIp14 79 catalogo.castrouria.com 185.209.61.135, 443, 49695, 49698 EUSKALTELES Spain 35->79 99 Uses ping.exe to sleep 35->99 101 Self deletion via cmd or bat file 35->101 103 Modifies Windows Defender protection settings 35->103 107 3 other signatures 35->107 41 cmd.exe 1 35->41         started        44 cmd.exe 35->44         started        47 powershell.exe 35 35->47         started        49 32 other processes 35->49 105 Hides threads from debuggers 39->105 signatures15 process16 file17 109 Uses ping.exe to sleep 41->109 111 Drops script or batch files to the startup folder 41->111 113 Uses ping.exe to check the status of other devices and networks 41->113 51 PING.EXE 1 41->51         started        69 D21008821188821022....js:Zone.Identifier, ASCII 44->69 dropped 71 C:\...\D210088211888210221000-2210011.js, Unicode 44->71 dropped 53 PING.EXE 44->53         started        115 Loading BitLocker PowerShell Module 47->115 55 ipconfig.exe 1 47->55         started        57 PING.EXE 1 49->57         started        59 PING.EXE 1 49->59         started        61 PING.EXE 1 49->61         started        63 17 other processes 49->63 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c
Threat name:
Script-JS.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2026-05-19 18:42:36 UTC
File Type:
Text (JavaScript)
AV detection:
16 of 36 (44.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5qpoqfi2qrmjubgpy33n4xalrhrsdigs2f5s2qdh74pluw5uyoa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/260605-kjb6cady7m/
Behaviour
Gathers network information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Hide Artifacts: Ignore Process Interrupts
Suspicious use of NtSetInformationThreadHideFromDebugger
Indicator Removal: File Deletion
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8760f740a8d422c4d0267e37b6f2e05c4f190d06968bd96a033ff8f5d2dda61c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments