MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SharpHide


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d
SHA3-384 hash: 27d0b3dddcf853bab08ab53ac7c6609423e3728b001dc1bcd3a260ab4f72bd732cc25163e18c9c744d9789f004570320
SHA1 hash: fef52fef81f528d774c8697acd365fa221062715
MD5 hash: 588668b65bcdf17c2731b5300c9dfa99
humanhash: fix-oranges-south-georgia
File name:b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d.ps1
Download: download sample
Signature SharpHide
Create hunting rule
File size:120'611 bytes
First seen:2025-01-17 08:35:59 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:G7ZBqVuu4Z/njbXCmqx65NqoYM8DPRB3seN4jo+m7EcSxLEWRbI/LHfykXhHIe2/:G7DqVuu4Z/njbXCmqx65NqoYM8DPRB3M
TLSH T1A6C32A331203FD8F676F2F89E8003AA51CBC607B9B1D4158F9C907AA51EA520DE79DB5
Magika powershell
Reporter JAMESWT_WT
Tags:85-209-11-15 booking ps1 SharpHide

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.74755850.3734.2733.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678a1679aa9c8e7858df2040
Tags:
stealer virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex evasive lolbin net obfuscated regsvcs strelastealer
Link:
https://www.filescan.io/uploads/678a167dc8e8c250f19399c1/reports/460d59e8-b9a4-4e0d-975f-e1750b94526b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
SharpHide
Create hunting rule
Detection:
malicious
Classification:
adwa.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1593516
Signature
AI detected suspicious sample
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected SharpHide
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1593516 Sample: IbE8WzaHjw.ps1 Startdate: 17/01/2025 Architecture: WINDOWS Score: 68 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected SharpHide 2->15 17 AI detected suspicious sample 2->17 6 powershell.exe 19 2->6         started        process3 signatures4 19 Writes to foreign memory regions 6->19 21 Injects a PE file into a foreign processes 6->21 9 RegSvcs.exe 1 1 6->9         started        11 conhost.exe 6->11         started        process5
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09539cbda49c4c870bba07756eac1c7688e61efb8ea6e9bc2eac6eb53a7df7d/
Threat name:
Script-PowerShell.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-10-31 15:16:25 UTC
File Type:
Text
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcktts62jhcmq4f3ub3vn2wby5ui4yppxdvg5g6c5ldowu5h356q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250117-khjtssypby/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments