MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd
SHA3-384 hash: 7a549a28747a4268f80b67edba8aa1c7b271a7a9ce971cb557cbd2b209936238910ea05b6c592c309fdb2d71c4085cf3
SHA1 hash: 55a50cd8a4a80288bb844c4d3d7630fc72a9e3b7
MD5 hash: 993f8ccbb93da1bd3f121c4ea24dd721
humanhash: fruit-august-hot-bakerloo
File name:a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd.ps1
Download: download sample
File size:1'402 bytes
First seen:2025-12-23 07:56:46 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:zUIV2S9ZV2KV23XQV2KV2Umh+V2kknkV2Uc5E2V2mKeV2UpmQsV2IAaV2+PMnV2c:zUIVl3VnVHVnVh0+VxPVhgVbKeVhpmQ9
Threatray 58 similar samples on MalwareBazaar
TLSH T142218B1139F025A809D3C3966A0C1ADA632D8BDE6A7C00F1E607DE2D0618091739F7ED
Magika powershell
Reporter JAMESWT_WT
Tags:melasio-com ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694a4b5ca6c88bb4cc23e59e
Tags:
smarts keylog micro
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/694a4b58e126b9ff438ddd2c/reports/55587544-0461-45b7-9a4a-8967b4fef780/overview
Verdict:
Suspicious
Labled as:
DR/SNH
Link:
https://www.hybrid-analysis.com/sample/a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-23T05:15:00Z UTC
Last seen:
2025-12-23T06:37:00Z UTC
Hits:
~10
Detections:
Trojan-Spy.Win32.Xegumumune.sbc Trojan-PSW.MSIL.Stealer.sb Trojan-Dropper.Win32.Agent.sb Trojan.APosT.UDP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.APosT.blvr
Link:
https://opentip.kaspersky.com/a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd/results?tab=lookup
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/993f8ccbb93da1bd3f121c4ea24dd721
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd/
Verdict:
Malicious
Threat:
Trojan.Win32.APosT
Link:
https://tip.neiki.dev/file/a79867d10cc8e2fe3f4c514905cc59f64d37273544fc45cbebf8c643968559cd
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-22 22:58:38 UTC
File Type:
Text (PowerShell)
AV detection:
1 of 36 (2.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6mgpuimzdrp4p2mkfeqltcz6zgtojzvit6els7l7ddehfuflhgq._file
Verdict:
malicious
Label(s):
castlerat
Create hunting rule
Similar samples:
0b93b73e87318abccd24e44e2040bb0dc369c6cd0ac873f7977e40b17796bd82
0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
0fa8d2dce87fd3e27c2543c9dcf2931fdafd856ca4e14ee21531fb942dc3b36e
41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8
c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
error
f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence spyware stealer
Link:
https://tria.ge/reports/251223-jwshesylgx/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of web browsers
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments