MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7803b4cd3e87f9449bc3fa671a5831185da87fdc09a1410baf0cac1819133c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash: b7803b4cd3e87f9449bc3fa671a5831185da87fdc09a1410baf0cac1819133c6
SHA3-384 hash: 23c50caf654ef09c41dc43d3bdcd3c530e9415c504d084248c494adcb48520e97d7f9f7b17d2a437f2efdeacc0f528b5
SHA1 hash: bc228c410d38275f3b659ef2236deae8f259a722
MD5 hash: b3ca9650e5448cff1809489a198e6c3e
humanhash: mockingbird-colorado-lithium-one
File name:form_59474.pdf.ps1
Download: download sample
File size:27'193 bytes
First seen:2026-04-11 20:22:55 UTC
Last seen:2026-04-13 07:49:26 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:J3CD2nsmEHoLQcmkflB6g9zFehf9oCtqQqA7P5ZU2nGCthpFcYbSGP:8aXEHo8BkflR9hwf9oCQQqA7rGCtndP
TLSH T1C4C28E52BE94F07897CF7707B6B4F89159787BB1908DA90CA0DE908167DCBE0B63C191
Magika powershell
Reporter smica83
Tags:ps1 refundonex-com

Intelligence


File Origin
# of uploads :
2
# of downloads :
78
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Tags:
ransomware phishing shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes anti-vm base64 crypto evasive fingerprint masquerade obfuscated powershell powershell
Verdict:
Malicious
File Type:
ps1
First seen:
2026-04-11T17:51:00Z UTC
Last seen:
2026-04-13T11:55:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Deletes itself after installation
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Potential dropper URLs found in powershell memory
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1896930 Sample: form_59474.pdf.ps1 Startdate: 11/04/2026 Architecture: WINDOWS Score: 100 99 winup.su 2->99 101 refundonex.com 2->101 107 Malicious sample detected (through community Yara rule) 2->107 109 Yara detected UAC Bypass using CMSTP 2->109 111 Yara detected Powershell download and execute 2->111 113 11 other signatures 2->113 11 powershell.exe 15 52 2->11         started        16 wscript.exe 1 2->16         started        signatures3 process4 dnsIp5 103 refundonex.com 87.121.52.71, 443, 49693, 49699 NETERRA-ASBG Bulgaria 11->103 105 winup.su 87.121.52.72, 443, 49694, 49701 NETERRA-ASBG Bulgaria 11->105 89 C:\Users\user\AppData\Roaming\...\update.ps1, ASCII 11->89 dropped 91 C:\Users\user\AppData\...\launcher.vbs, ASCII 11->91 dropped 93 c8dd16350-875c-4ff...70-cd328c245d2e.ps1, Unicode 11->93 dropped 95 2 other malicious files 11->95 dropped 125 Suspicious powershell command line found 11->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 11->127 129 Encrypted powershell cmdline option found 11->129 139 4 other signatures 11->139 18 powershell.exe 11->18         started        22 powershell.exe 11->22         started        24 powershell.exe 22 11->24         started        26 conhost.exe 11->26         started        131 Wscript starts Powershell (via cmd or directly) 16->131 133 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->133 135 Suspicious execution chain found 16->135 137 WScript reads language and country specific registry keys (likely country aware script) 16->137 28 powershell.exe 14 40 16->28         started        file6 signatures7 process8 file9 69 o4472e549-b03a-45c...db-cf08108387ca.txt, Unicode 18->69 dropped 30 powershell.exe 18->30         started        33 conhost.exe 18->33         started        71 odff074ad-fef1-486...64-3f61e2595268.txt, Unicode 22->71 dropped 35 conhost.exe 22->35         started        37 powershell.exe 22->37         started        73 ob2c6218b-43c8-4fa...76-3a128a1ce978.txt, Unicode 24->73 dropped 75 C:\Users\user\AppData\...\eot5nadj.cmdline, Unicode 24->75 dropped 39 csc.exe 24->39         started        42 conhost.exe 24->42         started        77 c795c8665-9503-4c5...fe-3579a6835d90.ps1, Unicode 28->77 dropped 79 c267f9ec0-fd82-464...d7-c3f8419ed704.ps1, Unicode 28->79 dropped 115 Suspicious powershell command line found 28->115 117 Encrypted powershell cmdline option found 28->117 119 Found suspicious powershell code related to unpacking or dynamic code loading 28->119 121 Loading BitLocker PowerShell Module 28->121 44 powershell.exe 28->44         started        46 powershell.exe 28->46         started        48 conhost.exe 28->48         started        signatures10 process11 file12 141 Found many strings related to Crypto-Wallets (likely being stolen) 30->141 143 Tries to harvest and steal browser information (history, passwords, etc) 30->143 145 Potential dropper URLs found in powershell memory 30->145 147 Loading BitLocker PowerShell Module 30->147 81 C:\Users\user\AppData\Local\...\eot5nadj.dll, PE32 39->81 dropped 50 cvtres.exe 39->50         started        83 ofc4070b9-cf49-420...e4-d17ebcf6a450.txt, Unicode 44->83 dropped 149 Encrypted powershell cmdline option found 44->149 52 powershell.exe 44->52         started        55 conhost.exe 44->55         started        85 oef3395ec-d2fe-4f6...1b-c713638fbbd0.txt, Unicode 46->85 dropped 57 csc.exe 46->57         started        60 conhost.exe 46->60         started        signatures13 process14 file15 123 Tries to harvest and steal browser information (history, passwords, etc) 52->123 62 csc.exe 52->62         started        87 C:\Users\user\AppData\Local\...\pe1veqq2.dll, PE32 57->87 dropped 65 cvtres.exe 57->65         started        signatures16 process17 file18 97 C:\Users\user\AppData\Local\...\nikxp1mw.dll, PE32 62->97 dropped 67 cvtres.exe 62->67         started        process19
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-04-11 20:23:50 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution ransomware
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Indicator Removal: File Deletion
Obfuscated Files or Information: Command Obfuscation
Deletes itself
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:SUSP_PowerShell_Base64_Decode
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments