MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe
SHA3-384 hash: 0cdb615bfceda7c0f0ed9a099951afd85fcd85227bda79de6dd23e889b84e6e87190e5157d2a3d36f17bc8770b6281a2
SHA1 hash: 5c9dfc6d5cc4743247ffae3b1737327c8546af73
MD5 hash: 978e36e12abdfb849745a694eca47fc6
humanhash: skylark-east-oklahoma-golf
File name:shell.bat
Download: download sample
File size:1'585 bytes
First seen:2024-09-03 04:36:43 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 48:kv37GW2WLnSB7IxcSe5LXFQz+39XvwS0CfakvZpOWi:JEUIxcSOyKYS9C
TLSH T1A531C1985A0FEEAF418390FED7C58384D21804674019E614BADDCFC597AD0A891EE7F6
Magika powershell
Reporter lontze7

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shell.bat
Verdict:
Suspicious activity
Analysis date:
2024-09-03 04:37:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43a81156-4b9a-4c07-b4ae-567974758c81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PowerShell.ReverseShell.24.1733.8111.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d69276f3d7ccf99f8fa9be
Tags:
Encryption Execution Network Minerva
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66d692725bc1792389bc8640/reports/d920d16a-7cae-4057-8dc3-4a092b1e6ae8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1503198
Signature
AI detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Malware Callback Communication
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Powershell Reverse Shell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1503198 Sample: shell.bat Startdate: 03/09/2024 Architecture: WINDOWS Score: 76 19 Suricata IDS alerts for network traffic 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected Powershell Reverse Shell 2->23 25 2 other signatures 2->25 7 cmd.exe 1 2->7         started        process3 signatures4 27 Suspicious powershell command line found 7->27 10 powershell.exe 15 7->10         started        13 conhost.exe 7->13         started        process5 dnsIp6 17 80.76.176.23, 4444, 49730 ORNRU-ASKvant-telecomuplinkRU Russian Federation 10->17 15 cmd.exe 1 10->15         started        process7
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-09-02 08:23:46 UTC
File Type:
Text (Batch)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sq2ixcv2avcjawmggfj5q3t7jtviqcvmwzjdrozwm3nl5ku2v77a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240903-e8s79sycrc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat 94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3154168/
  
Delivery method
Distributed via web download

Comments