MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a
SHA3-384 hash: 8a8a750468bbee8eac5db4aa54b6c7ea33972550764374226947b4fa6fc0cc57fe14e6beef582584955a7023acb79233
SHA1 hash: ab2c46c4e80f99699d1f914c66b087a11296b357
MD5 hash: 1bad3f6fbedf1f57ffc5dc2155621b76
humanhash: delaware-tennessee-monkey-zebra
File name:file (1).txt
Download: download sample
File size:1'239 bytes
First seen:2024-11-25 05:36:49 UTC
Last seen:2024-11-25 05:37:18 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:wi+EWOsNR4ypdnoY95/fPgiwQs2/Sg6o1z5k/TdOg3SY23:wEWOsN6k99f4iwiW6zO/TdOgW3
TLSH T12521DF6B149EA115093AC2ECCD1C1555E300206F53092FE677617C586FB6980A9FB5EB
Magika batch
Reporter lontze7
Tags:bat

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file (1).txt
Verdict:
No threats detected
Analysis date:
2024-11-25 05:40:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1a81825-25cb-45da-9ec7-6a40101c36fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67441660d0583382434afd64
Tags:
autorun gumen
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/67440cfeae263b2803d652a8/reports/e553e080-494b-4aac-aa81-74316116c657/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1562070
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Drops script or batch files to the startup folder
Powershell drops PE file
Sigma detected: Drops script at startup location
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562070 Sample: file (1).txt.bat Startdate: 25/11/2024 Architecture: WINDOWS Score: 92 95 x1.i.lencr.org 2->95 97 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->97 99 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->99 109 Antivirus detection for URL or domain 2->109 111 Sigma detected: Drops script at startup location 2->111 113 Uses an obfuscated file name to hide its real file extension (double extension) 2->113 115 5 other signatures 2->115 15 cmd.exe 3 2 2->15         started        18 cmd.exe 2->18         started        20 svchost.exe 2->20         started        signatures3 process4 dnsIp5 125 Suspicious powershell command line found 15->125 127 Drops script or batch files to the startup folder 15->127 23 powershell.exe 12 15->23         started        25 powershell.exe 14 16 15->25         started        30 powershell.exe 16 15->30         started        38 3 other processes 15->38 32 conhost.exe 18->32         started        34 where.exe 18->34         started        36 powershell.exe 18->36         started        40 3 other processes 18->40 101 127.0.0.1 unknown unknown 20->101 signatures6 process7 dnsIp8 42 cmd.exe 23->42         started        105 18.181.154.24, 49730, 49731, 49740 AMAZON-02US United States 25->105 89 C:\Users\user\AppData\Local\Temp\file.pdf, PHP 25->89 dropped 119 Powershell drops PE file 25->119 91 C:\Users\user\AppData\Local\Temp\file.bat, DOS 30->91 dropped 46 AcroCEF.exe 107 38->46         started        file9 signatures10 process11 file12 93 C:\Users\user\AppData\Roaming\...\file.bat, DOS 42->93 dropped 121 Suspicious powershell command line found 42->121 48 powershell.exe 42->48         started        50 powershell.exe 42->50         started        53 conhost.exe 42->53         started        58 3 other processes 42->58 55 AcroCEF.exe 46->55         started        signatures13 process14 dnsIp15 60 cmd.exe 48->60         started        87 C:\Users\user\AppData\Local\Temp\file.exe, PE32+ 50->87 dropped 103 34.193.227.236, 443, 49744, 49749 AMAZON-AESUS United States 55->103 file16 process17 signatures18 123 Suspicious powershell command line found 60->123 63 powershell.exe 60->63         started        65 where.exe 60->65         started        67 powershell.exe 60->67         started        69 2 other processes 60->69 process19 process20 71 cmd.exe 63->71         started        signatures21 117 Suspicious powershell command line found 71->117 74 powershell.exe 71->74         started        76 where.exe 71->76         started        78 powershell.exe 71->78         started        80 2 other processes 71->80 process22 process23 82 cmd.exe 74->82         started        signatures24 107 Suspicious powershell command line found 82->107 85 where.exe 82->85         started        process25
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbx453ftbtu3emo4mzupshukkxt427rpfwoilxxanhjxclzdkofa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241125-g1191sypap/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat 986fceecb30ce9b231dc6668f91e8a55e7cd7e2f2d9c85dee069d3712f23538a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3303798/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3303799/

Comments