MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903
SHA3-384 hash: 8a9a1887176828bd328b1208847d6c4d595c1a9420dade972b27f2421ecede30e34c7bd91abdb2f7a42daefce1f274c0
SHA1 hash: 1041e317d9dbdb37bdd823b7873b365457110239
MD5 hash: 29d8349bcffa8043c824884bdd136a42
humanhash: vermont-lion-wisconsin-alaska
File name:gets.ps1
Download: download sample
File size:8'067 bytes
First seen:2025-04-30 08:40:44 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:g7ynsnvynOzad4POVk1Gyp/SD2zKDUtXDZABygKlkO7BGTG:MTkhKIq
TLSH T1B0F1D91BD9048215C37373EA5991CD0DE78F009B92129F1D75ACA8843FF135D8AF69AB
Magika powershell
Reporter abuse_ch
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811e75ac8b2e86d0ac51246
Tags:
autorun dropper virus blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd evasive findstr fingerprint fltmc lolbin obfuscated reg wmic
Link:
https://www.filescan.io/uploads/6811e225c502e7176af9b8b9/reports/423ef95e-b3e3-4ce5-abf2-ca637fd44194/overview
Verdict:
Suspicious
Labled as:
PowerShell/HackTool.Agent
Link:
https://www.hybrid-analysis.com/sample/aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1678032
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
PE file has nameless sections
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1678032 Sample: gets.ps1 Startdate: 30/04/2025 Architecture: WINDOWS Score: 100 68 modulowinapp.com 2->68 70 conecwinlab.com 2->70 72 5 other IPs or domains 2->72 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 7 other signatures 2->96 10 powershell.exe 15 63 2->10         started        15 wscript.exe 1 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 78 modulowinapp.com 185.255.122.89, 443, 49693, 49696 ICMESE Netherlands 10->78 80 winpopcach.com 185.255.122.94, 443, 49692, 49700 ICMESE Netherlands 10->80 82 raw.githubusercontent.com 185.199.108.133, 443, 49701 FASTLYUS Netherlands 10->82 60 C:\Users\user\AppData\Roaming\...\libssv.dll, PE32 10->60 dropped 62 C:\Users\user\AppData\Roaming\...\libspv.dll, PE32 10->62 dropped 64 C:\Users\user\AppData\...\libeay32.dll, PE32 10->64 dropped 66 5 other malicious files 10->66 dropped 104 Powershell creates an autostart link 10->104 106 Loading BitLocker PowerShell Module 10->106 108 Powershell drops PE file 10->108 19 cmd.exe 1 10->19         started        21 Enigma32g.exe 15 10->21         started        23 conhost.exe 10->23         started        28 2 other processes 10->28 110 Suspicious powershell command line found 15->110 112 Wscript starts Powershell (via cmd or directly) 15->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->114 116 Suspicious execution chain found 15->116 25 powershell.exe 14 35 15->25         started        84 127.0.0.1 unknown unknown 17->84 file6 signatures7 process8 signatures9 30 cmd.exe 19->30         started        33 conhost.exe 19->33         started        35 chrome.exe 21->35         started        100 Found suspicious powershell code related to unpacking or dynamic code loading 25->100 102 Loading BitLocker PowerShell Module 25->102 38 conhost.exe 25->38         started        process10 dnsIp11 118 Suspicious powershell command line found 30->118 120 Wscript starts Powershell (via cmd or directly) 30->120 122 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 30->122 40 cmd.exe 30->40         started        43 cmd.exe 30->43         started        45 conhost.exe 30->45         started        52 14 other processes 30->52 74 192.168.2.5, 138, 443, 49675 unknown unknown 35->74 76 192.168.2.8 unknown unknown 35->76 47 chrome.exe 35->47         started        50 chrome.exe 35->50         started        signatures12 process13 dnsIp14 98 Wscript starts Powershell (via cmd or directly) 40->98 54 powershell.exe 40->54         started        56 cmd.exe 43->56         started        58 cmd.exe 43->58         started        86 www.google.com 192.178.49.196, 443, 49710 GOOGLEUS United States 47->86 88 winpopcach.com 47->88 signatures15 process16
Score:
13%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsu3wq3mhmceflabineeetnynnapmorfyjxyg7z75j5qtwpxrebq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250430-klj9qsgn3v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://conecwinlab.com/getapp.ps1
https://conecwinlab.com/getapp2.ps1
https://massgrave.dev/troubleshoot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 aca9bb436c3b0442ac014348424db86b40f63a25c26f837f3fea7b09d9f78903

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3484463/
  
Delivery method
Distributed via web download

Comments