MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83
SHA3-384 hash: c76cdf5ee264a4c89379ad8f9076729f044f24d4d7abbfaebce857f56ae6daa1df6ea796ae98d8961127a1e3fbec52de
SHA1 hash: c42b1bfe8c185db0ea99cd9a061d0759671cbb0a
MD5 hash: 461727b983208130a838fa52b5bf15be
humanhash: fifteen-missouri-fruit-delaware
File name:Script.ps1
Download: download sample
File size:8'774'231 bytes
First seen:2025-08-30 14:37:44 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:LB4XaWSlm7V7A37At/7Atu57AtujC7AtujHw7AtujHat7AtujHahn7AtujHahiMZ:F
TLSH T11F968ADB639C07FDA6984DDE420A354B61E2C1772C7F1288A9E24507B43FE12BA35B74
Magika powershell
Reporter abuse_ch
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b30cf33e988eb6ab82fe95
Tags:
spawn virus sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68b30cf26212e2f74265f1d8/reports/e5fddf50-e5b2-4370-8097-12298262b1d5/overview
Verdict:
Malicious
Labled as:
Trojan_Script_Wacatac_C_ml
Link:
https://www.hybrid-analysis.com/sample/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83
Verdict:
Malicious
File Type:
ps1
First seen:
2025-08-28T12:42:00Z UTC
Last seen:
2025-08-28T12:42:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.Generic
Link:
https://opentip.kaspersky.com/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1767039
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1767039 Sample: Script.ps1 Startdate: 28/08/2025 Architecture: WINDOWS Score: 100 41 AI detected malicious Powershell script 2->41 43 Joe Sandbox ML detected suspicious sample 2->43 45 Sigma detected: Rundll32 Execution Without CommandLine Parameters 2->45 8 powershell.exe 30 2->8         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 47 Found many strings related to Crypto-Wallets (likely being stolen) 8->47 49 Suspicious execution chain found 8->49 51 Loading BitLocker PowerShell Module 8->51 14 InstallUtil.exe 1 8->14         started        17 conhost.exe 8->17         started        39 127.0.0.1 unknown unknown 11->39 signatures5 process6 signatures7 53 Found many strings related to Crypto-Wallets (likely being stolen) 14->53 55 Tries to harvest and steal ftp login credentials 14->55 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 59 7 other signatures 14->59 19 chrome.exe 14->19         started        21 chrome.exe 14->21         started        23 chrome.exe 14->23         started        25 3 other processes 14->25 process8 process9 27 WerFault.exe 16 19->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 16 21->31         started        33 WerFault.exe 16 21->33         started        35 WerFault.exe 23->35         started        37 WerFault.exe 23->37         started       
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83/
Verdict:
Malicious
Threat:
Trojan.PowerShell
Link:
https://tip.neiki.dev/file/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whaixfrcdebbmdax7srsrprrnvddhyhchtm7qozr2sucuqp6nkbq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
execution
Link:
https://tria.ge/reports/250830-rz1xzabk71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
SmartAssembly .NET packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1c08b96221902160c17fca328be316d4633e0e23cd9f83b31d4a82a41fe6a83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments