MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SharpHide

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9
SHA3-384 hash:	b0f1349734c0f903178849156f91c0120f833d54055768f97aa5d4a377874efe96f6bdbaf97fc5f76c7f99f6a80cd56a
SHA1 hash:	9fcd46649be4d936389b73a16cf388b93cbdd05a
MD5 hash:	6383cf3c93cdfea8b68bfa1d99eefec2
humanhash:	venus-triple-apart-gee
File name:	92.255.57_1.155.ps1
Download:	download sample
Signature	SharpHide Create hunting rule
File size:	98'186 bytes
First seen:	2025-01-24 09:20:52 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	1536:SB7npnFgighawXYexOyucRR8kExSWFiuTW2a4OlnlMLaUFQ6BXOns3R+R:SB7VzghaUYePuBkEx9W2a4OlnlMDFQYy
TLSH	T1F1A390318818B92FCEEF1F87A5142FD33C79153BDE551018A88F59B91E682385A7BF24
Magika	powershell
Reporter	JAMESWT_WT
Tags:	92-255-57-155 booking ps1 SharpHide Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Injector.9641.32591.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67935c99b5602ee8cdb04ac8

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex evasive lolbin net obfuscated packed packed regsvcs

Link:

https://www.filescan.io/uploads/67935b8438392647ab5a92d8/reports/8eac422c-36c2-49c8-b3e0-022dbe94d92d/overview

Verdict:

Malicious

Labled as:

Trojan[Dropper]/Agent.a

Link:

https://www.hybrid-analysis.com/sample/a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Result

Threat name:

SharpHide

Detection:

malicious

Classification:

adwa.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1598468

Signature

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Powershell download and execute

Yara detected SharpHide

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ulhoyotfupvh25pezhyp6wciuzi4eeskgdpnz756kpdyqqwkqh4q._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/250124-lba4ra1ndt/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SharpHide

ps1 a2ceec3a65a3ea7d75e4c9f0ff5848a651c2124a30dedcffbe53c78842ca81f9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3412359/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample