MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a
SHA3-384 hash:	75fe1dc22522b13fbe36454535fc60a6370863839aa541b9d8a48282bdf1e968bd357cef1deaa0b817844795ca16885a
SHA1 hash:	d1287d5bb5df9431dd2dbe772d08517949b8e5de
MD5 hash:	7d3d61da08af4d1d1f69235a0619c66d
humanhash:	pasta-whiskey-hamper-georgia
File name:	COSCO_ARRIVAL_0202202693937199203857211.bat
Download:	download sample
File size:	6'013 bytes
First seen:	2026-02-02 16:51:19 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	96:ZeOHra0zMiJFKHaIASEWu5I1f+MXkOEN4lN2nDzWZDahXBQFdjSH/Sl3Wv8nKz:pLaFiJFaASA5IYPRnDzWZahxWjSfSl3+
Threatray	1'492 similar samples on MalwareBazaar
TLSH	T121C15D73052AF21A39D926F661A85A11F354DEC084F0EC64C675F0291FCEF5E23EE698
Magika	batch
Reporter	Anonymous
Tags:	bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a.txt

Verdict:

No threats detected

Analysis date:

2026-02-02 16:53:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7f9c9624-8843-4f46-b041-b519c6e926e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51257/

Detection(s):

SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6980d644a9ffec4a96095990

Tags:

dropper rapid shell sage

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Downloading the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

powershell powershell timeout

Link:

https://www.filescan.io/uploads/6980d640930564ff3c846243/reports/d39071eb-371f-4c31-bcdd-55dd19681608/overview

Verdict:

Malicious

Labled as:

BZC.PZQ.Pantera.272

Link:

https://www.hybrid-analysis.com/sample/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-02-02T10:33:00Z UTC

Last seen:

2026-02-03T15:49:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C HEUR:Trojan.BAT.Alien.gen

Link:

https://opentip.kaspersky.com/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a/

Verdict:

Malicious

Threat:

RemoteAdmin.Win32.ConnectWise

Link:

https://tip.neiki.dev/file/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a

Threat name:

Script.Trojan.Pantera

Status:

Malicious

First seen:

2026-02-02 16:33:26 UTC

File Type:

Text (Batch)

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wtypcr4l6zlxlxo4a5u74zcpjgdw2366lccycxykmejndqh25mva._file

Verdict:

malicious

Label(s):

admintool_screenconnect

kalambur

1e27ef7fb06896dbb30f2a7e10ac71adf68c4650013963bed181f0803235c2ff

63505f13269fbcf30eb3533ce2ba4ec3b9b04bd48f278ac5813779bc0f8416b7

a57bcb1a4cf3ae2944f663ecc755b4fcbe70e24f2bbef42b3633b45be39234dd

ab258b4e6868de773c9d532d7410a53a3a81861163ac0238100d1bdd8f2b0ed1

error

+ 1'482 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

backdoor defense_evasion discovery execution persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/260202-vdghzsey4e/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Command and Scripting Interpreter: PowerShell

Contacts third-party web service commonly abused for C2

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Downloads MZ/PE file

Sets service image path in registry

Malware Config

Dropper Extraction:

https://github.com/MasterP-dot/03/raw/main/bin.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4f0f1478bf65775dddc0769fe644f49876d6fde5885815f0a6112d1c0faeb2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51257/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample