MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754
SHA3-384 hash: 6061fa33462195dc8e63fa6fb5abb48774036796f6567709e14a93cb18dc58b0fa7b08b6c4cb067e13f35ac569eca741
SHA1 hash: b3f49c5ef8aefcf2a71b7a4d9b3e3db828858b12
MD5 hash: 8d874f12ce20227c87d4941a331577da
humanhash: colorado-lactose-bakerloo-eleven
File name:output_p62tsoft.js
Download: download sample
File size:808'248 bytes
First seen:2026-06-11 09:14:26 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:UCRtknm7qLibbu8kMJQaA+IZxgdpO34zkXK3STt8fISQ4xljSLQiOHdSEAnxhV91:bXkqC
Threatray 89 similar samples on MalwareBazaar
TLSH T18005D43DCE14412EE872C519C8A9855FF8922597222CED4790CB3F5FAE73886B3D225D
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter threatcat_ch
Tags:js

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Starter.169.25235.20084.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2a7c8ea15110463ee4b872
Tags:
n/a
Verdict:
Malicious
Labled as:
JS/Agent.URN trojan
Link:
https://www.hybrid-analysis.com/sample/b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754
Verdict:
Malicious
File Type:
js
First seen:
2026-06-11T01:49:00Z UTC
Last seen:
2026-06-11T05:43:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926458
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926458 Sample: output_p62tsoft.js Startdate: 11/06/2026 Architecture: WINDOWS Score: 100 31 vrdccbank.com 2->31 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 .NET source code contains potential unpacker 2->57 59 Sigma detected: WScript or CScript Dropper 2->59 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 61 JScript performs obfuscated calls to suspicious functions 10->61 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->63 65 Suspicious execution chain found 10->65 67 2 other signatures 10->67 13 conhost.exe 10->13         started        process6 process7 15 powershell.exe 15 20 13->15         started        dnsIp8 41 vrdccbank.com 103.174.10.44, 443, 49692 BROWNARC-AS-APBrownArcEnterprisesPrivateLimitedIN India 15->41 43 80.66.84.164, 1234, 49693, 49696 AS-GLOBALTELEHOST-GTHostUS Netherlands 15->43 45 Creates an undocumented autostart registry key 15->45 47 Tries to steal Mail credentials (via file / registry access) 15->47 49 Tries to harvest and steal browser information (history, passwords, etc) 15->49 51 3 other signatures 15->51 19 chrome.exe 3 15->19         started        22 chrome.exe 2 15->22 injected 24 chrome.exe 2 15->24 injected 26 4 other processes 15->26 signatures9 process10 dnsIp11 33 192.168.2.5, 1234, 138, 443 unknown unknown 19->33 28 chrome.exe 2 19->28         started        process12 dnsIp13 35 www.google.com 142.251.153.119, 443, 49705, 49707 GOOGLE-GoogleLLCUS United States 28->35 37 googlehosted.l.googleusercontent.com 172.253.124.132, 443, 49716 GOOGLE-GoogleLLCUS United States 28->37 39 3 other IPs or domains 28->39
Score:
72%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwdpux2s3naxjeb3x5j6v2yfg62op3u3t4xufriuknvqp5dry5ka._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
02f021137074a7eb8059a84ffd92a4c0588b9ab09fbd2ffd9aa534d4ee94b500
0cf49cdb5571c650e80af83316ddcb6ebabc205ac5929e14be4962b56ae382a9
12d51bb5ed6b4db145af16f70b1f498c5757c7d2420bd25f7313f4cb092b0419
3d21d84009b854c9ce26541075b37186418355b1a182b1bd59e432e3b1ba2e5b
580d4b2e65dee44be9ebb0eb5ad85346e807b44ccfd61468ece572cefca804ff
6a640d2dfdef8984777bd2de97349349b4336b65183d35fbd83093fd930ced94
761745042e6ba4fadd0bf1ef4a28df72d34caefddd294cd022a37cd6e282faea
7cc7c63542bfc39f82020d99cd5d84032ebcc85c3d941b1b9b2f74f52d529f20
a5903b21a481d11fd8ac07ba5ec097c300f40e247906a0ce2f05f6edccb7630d
c32b6b3dc86e292e46c705726ed9ac425c02391702fad0fa3c9d38a1580291fe
error
+ 79 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260611-k7m8hsby5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks computer location settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Java Script (JS) js b586fa5f52db4174903bbf53eaeb0537b4e7ee9b9f2f42c514536b07f471c754

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments