MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a21d5eeb730560acbf17c86246dbee7870b3aafb007a71440e89cf2b346b6f8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1

SHA256 hash: a21d5eeb730560acbf17c86246dbee7870b3aafb007a71440e89cf2b346b6f8b
SHA3-384 hash: e882a27e8ae241509f1513113e1a8dc22df53df6a2926338ba0fd69c52252558b597c9d704a14f0dae4f35157ff69dbb
SHA1 hash: b55f2f0924c818864ff8faa93884dafd6d4167c9
MD5 hash: 8228d367af278e47c1d783b56a43baad
humanhash: pizza-arkansas-texas-table
File name:givemesomethingsgood.hta
Download: download sample
File size:38'270 bytes
First seen:2026-07-14 09:12:01 UTC
Last seen:2026-07-14 13:18:30 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:q+qKN7yN7xN7qUN7kzpN7iN7yu4aVHV2VLVTVyz4FVrVQV21V2VFXx9nA9O:pEHpCp0Yp8Mz1g
TLSH T1C503E93A2EE330AB6D03A22704E5A859CA57B85B3606703EF1DC06FEDF55034A591D6E
Magika html
Reporter abuse_ch
Tags:hta

Intelligence


File Origin
# of uploads :
2
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Tags:
xtreme shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Payload URLs
URL
File name
http://107.172.247.123/227/vmc.exe
HTA File
Behaviour
BlacklistAPI detected
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Signature
Antivirus / Scanner detection for submitted sample
Encrypted powershell cmdline option found
Found evasive API chain checking for user administrative privileges
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1942040 Sample: givemesomethingsgood.hta Startdate: 14/07/2026 Architecture: WINDOWS Score: 88 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Sigma detected: Suspicious MSHTA Child Process 2->55 57 4 other signatures 2->57 9 mshta.exe 1 2->9         started        process3 signatures4 61 PowerShell case anomaly found 9->61 12 cmd.exe 1 9->12         started        process5 signatures6 63 Encrypted powershell cmdline option found 12->63 65 PowerShell case anomaly found 12->65 15 powershell.exe 15 19 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 47 107.172.247.123, 49698, 80 AS-COLOCROSSING-HostPapaUS United States 15->47 29 C:\Users\user\AppData\Roaming\vmc.exe, PE32 15->29 dropped 49 Powershell drops PE file 15->49 22 vmc.exe 74 15->22         started        file9 signatures10 process11 file12 31 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 22->31 dropped 33 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 22->33 dropped 35 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 22->35 dropped 37 65 other files (none is malicious) 22->37 dropped 59 Found evasive API chain checking for user administrative privileges 22->59 26 GoogleUpdate.exe 7 73 22->26         started        signatures13 process14 file15 39 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 26->39 dropped 41 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 26->41 dropped 43 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 26->43 dropped 45 66 other files (none is malicious) 26->45 dropped
Verdict:
Malware
YARA:
4 match(es)
Tags:
DeObfuscated Html PowerShell T1027 T1059.001
Threat name:
Script-WScript.Trojan.Runner
Status:
Malicious
First seen:
2026-07-14 08:02:35 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HTML Application (hta) hta a21d5eeb730560acbf17c86246dbee7870b3aafb007a71440e89cf2b346b6f8b

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
commented on 2026-07-14 09:54:35 UTC

Payload URL:
http://107.172.247.123/227/vmc.exe