MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440
SHA3-384 hash: 4c670535822970e48637d2ce9deda9e5e8eb8b643b14ea6a5051e4886857ef7660c6514e21265741719221ac3bf70c6d
SHA1 hash: 5412c243cb04bcdbba46aa6fb816383b7d7fbed3
MD5 hash: f974bbe206b1024d07b92ddcd3066e69
humanhash: papa-apart-kansas-undress
File name:info.ps1
Download: download sample
File size:766 bytes
First seen:2023-03-17 11:29:52 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:fTTTTTTTTTjk3pLx2VoAmI0opeLbff++2NrJWrFRbbqFuAwACYT/OddWTjTC:fTTTTTTTTTjk5dRAmIDMLbffINr8bXqE
Threatray 17 similar samples on MalwareBazaar
TLSH T141014438C1529BC3B809FA3327DB29B02034F7D386ED50D4498045CF15FE059909917B
Reporter ankit_anubhav
Tags:ps1 TA558

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
TH TH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-173.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64144f3de6d26a096f56f5e4/reports/f52acf51-0c89-4e7b-87e3-03ccc3b50b4c/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.794
Link:
https://www.hybrid-analysis.com/sample/b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1195756
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828653 Sample: info.ps1 Startdate: 17/03/2023 Architecture: WINDOWS Score: 56 16 Antivirus detection for URL or domain 2->16 18 Multi AV Scanner detection for submitted file 2->18 6 powershell.exe 27 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 replace.exe 1 6->10         started        12 replace.exe 1 6->12         started        14 9 other processes 6->14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440/
Threat name:
Win32.Dropper.Boxter
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 11:30:08 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4xc7melnuughngptbh3f2eynbjhaefblzwuncmynogxaswwgraa._file
Verdict:
unknown
Similar samples:
0e6761acc6a4da6c360730da8c1a3a03e782058c51bb95e47946f52a7524bada
3b683c8627dfd6a3bf7f1d637766868dac0f4ea6ced075c7dcef3957f8f4f2df
6bd0c6d56d0d7032b5a3c4dbedeed93a4d384ebb2b3323ba5dda825b35337d04
7bd646e24c8326e0165f50622692ee7ee7cb968ac328c30e3cbc0992147587ae
83bd3135be3d6ca1f64c52bdd7ac1a4a39c82103d62d05a2b0e1b77d3d5e6d6e
8e530e70992638583d35864d3d6309e33db90c7036efbdddc4b2e5d37e939a0b
a5383c09151a442896e9ccd296d5a0dc7c226ff9d208ff5bceaab3c5824a9791
c8448316db0ee7b4fd569ae5b141d38352a999964cff52ac89926e6c149d9cd7
edc963de4546bcafaf97a670528e93484da28fbc7db7a66c59c6048ed83926f5
f005c083dad24867ccb5d6877e48f78ac02955ea72017c6b4e5015096f3ddd6e
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230317-nl5r8aga37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments