MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1
SHA3-384 hash: 435b58d598d645daf1628609812a97c0b2516d3360bcafb016c7da2ad28ad2a9f7e0434184a8696b2ac8713848309100
SHA1 hash: eb06f635e30520fd8e764a3c6fc1216c798400c7
MD5 hash: 461d549b45e71d09f616ea14cf0f46d2
humanhash: quebec-nebraska-eleven-batman
File name:verify-captcha-987.b-cdn.net.ps1
Download: download sample
File size:147 bytes
First seen:2024-08-08 18:36:34 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJLNyAmarBanfknMVpvF7HMV20RtkpxhoHMN11H6BtoaRtkpfhn:snyuW5VpvF7HMEvpxh7DH6Byxpfhn
TLSH T169C09B226189AEC8D74D70245C0E0DDF2065C595FBF15594F9A5888F7E01E39D72C40C
Reporter aachum
Tags:ps1


Avatar
iamaachum
https://verify-captcha-987.b-cdn.net/verify-captcha-v3.html

Asked to paste PowerShell script in Win+R.

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b51050b35234d5cc65b7f6
Tags:
Execution Generic Infostealer Network Stealth
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/66b5104fe565ee98cf3da54c/reports/cd5007fc-a6ec-4f39-89b0-85dfbbac8a58/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490188
Signature
AI detected suspicious sample
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Very long command line found
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490188 Sample: verify-captcha-987.b-cdn.net.ps1 Startdate: 08/08/2024 Architecture: WINDOWS Score: 100 70 microsoftcamp-c3.b-cdn.net 2->70 72 microcampzip-v1.b-cdn.net 2->72 82 Malicious sample detected (through community Yara rule) 2->82 84 Yara detected Clipboard Hijacker 2->84 86 Machine Learning detection for dropped file 2->86 88 4 other signatures 2->88 12 powershell.exe 11 2->12         started        15 svchost.exe 1 1 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 dnsIp5 102 Encrypted powershell cmdline option found 12->102 104 Powershell drops PE file 12->104 20 powershell.exe 7 12->20         started        22 conhost.exe 12->22         started        76 127.0.0.1 unknown unknown 15->76 signatures6 process7 process8 24 mshta.exe 17 20->24         started        dnsIp9 74 microsoftcamp-c3.b-cdn.net 89.187.169.39, 443, 49731, 49734 CDN77GB Czech Republic 24->74 60 C:\Users\user\AppData\Local\...\camp-v1[1], PE32 24->60 dropped 98 Suspicious powershell command line found 24->98 100 Very long command line found 24->100 29 powershell.exe 16 45 24->29         started        file10 signatures11 process12 file13 62 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 29->62 dropped 64 C:\Users\user\AppData\Local\...\lang-1058.dll, PE32 29->64 dropped 66 C:\Users\user\AppData\Local\...\lang-1049.dll, PE32 29->66 dropped 68 6 other malicious files 29->68 dropped 110 Loading BitLocker PowerShell Module 29->110 33 Setup.exe 7 29->33         started        37 conhost.exe 29->37         started        signatures14 process15 file16 52 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 33->52 dropped 54 C:\Users\user\AppData\Roaming\...\StrCmp.exe, PE32 33->54 dropped 78 Maps a DLL or memory area into another process 33->78 80 Found direct / indirect Syscall (likely to bypass EDR) 33->80 39 more.com 3 33->39         started        43 StrCmp.exe 37 33->43         started        signatures17 process18 file19 56 C:\Users\user\AppData\Local\Temp\mmv, PE32 39->56 dropped 58 C:\Users\user\AppData\...\ShowbizFender.pif, PE32 39->58 dropped 90 Drops PE files with a suspicious file extension 39->90 92 Writes to foreign memory regions 39->92 94 Found hidden mapped module (file has been removed from disk) 39->94 96 2 other signatures 39->96 45 ShowbizFender.pif 1 39->45         started        48 conhost.exe 39->48         started        50 ShowbizFender.pif 39->50 injected signatures20 process21 signatures22 106 Switches to a custom stack to bypass stack traces 45->106 108 Found direct / indirect Syscall (likely to bypass EDR) 45->108
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wh6yutx5uewuzy7x7kfnv5yf3ovswo3tinbtjqp4wiyg74otscyq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/240809-k48eaayfll/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://microsoftcamp-c3.b-cdn.net/camp-v1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 b1fd8a4efda12d4ce3f7fa8adaf705dbab2b3b73434334c1fcb2306ff1d390b1

(this sample)

Executable exe 4de7b791a8a70bb57b6396c57553963320bf0e4e48be55a450e4bc0a59a79e0e

  
Link
https://tria.ge/240808-w5sk1a1cmd
  
Delivery method
Distributed via web download
  
Dropping
SHA256 4de7b791a8a70bb57b6396c57553963320bf0e4e48be55a450e4bc0a59a79e0e
  
Dropping
MD5 f0a82fcce76a638f3800a72f96ebdb00

Comments