MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c
SHA3-384 hash: 37ceba0605eaf5b3f7cb1d62335b6fc238585f3fcd132a1817541cf7c857ef01c3e91a9fbdf078d82373014dde62f2c0
SHA1 hash: ff02bac3a5a1cf54cb457189f7c686384e9733a6
MD5 hash: f432b5ffa3e1a2246b07194fd57c1d7d
humanhash: south-nuts-grey-mike
File name:f432b5ffa3e1a2246b07194fd57c1d7d.js
Download: download sample
Signature DarkCloud
Create hunting rule
File size:34'992 bytes
First seen:2026-02-28 10:21:45 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:mtng7oMWs5czidTzLBxHXNNOJAA9/MksBlbbQyFVrRGqgQFEs+lF67Ci:GHCYi
TLSH T143F229ED13B7252B1CAC2055A437C2C189754E84632469AF5A9FACDAC14C4FF97FBE80
Magika javascript
Reporter abuse_ch
Tags:DarkCloud js

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2c1d8c950ab5d9ab270da
Tags:
ransomware sage smtp
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint repaired
Link:
https://www.filescan.io/uploads/69a2c1da10e80629d4f6756d/reports/fcdddfc2-53f0-4819-9039-3d539318b8f9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c
Verdict:
Malicious
File Type:
js
Detections:
HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c/results?tab=lookup
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876334
Signature
.NET source code contains potential unpacker
Creates multiple autostart registry keys
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DarkCloud
Yara detected MSIL Injector
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876334 Sample: Jn4JVFgPe2.js Startdate: 28/02/2026 Architecture: WINDOWS Score: 100 100 microsensor.sbs 2->100 102 yaso.su 2->102 104 5 other IPs or domains 2->104 114 Sigma detected: Register Wscript In Run Key 2->114 116 Suricata IDS alerts for network traffic 2->116 118 Found malware configuration 2->118 120 18 other signatures 2->120 10 wscript.exe 2->10         started        12 powershell.exe 15 28 2->12         started        17 wscript.exe 1 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 21 powershell.exe 1 22 10->21         started        24 powershell.exe 10->24         started        106 microsensor.sbs 92.113.19.163, 443, 49694, 49697 UKRTELNETUA Ukraine 12->106 108 pastefy.app 188.245.199.145, 443, 49686, 49695 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 12->108 110 yaso.su 104.21.77.239, 443, 49693, 49696 CLOUDFLARENETUS United States 12->110 92 C:\Users\user\AppData\Local\...\wrffite.bat, ASCII 12->92 dropped 94 C:\Users\user\AppData\...\4eojpdpz.cmdline, Unicode 12->94 dropped 96 C:\ProgramData\Smkkamf.js, ASCII 12->96 dropped 132 Suspicious powershell command line found 12->132 134 Creates multiple autostart registry keys 12->134 136 Writes to foreign memory regions 12->136 138 Injects a PE file into a foreign processes 12->138 26 conhost.exe 12->26         started        28 powershell.exe 10 12->28         started        30 csc.exe 3 12->30         started        33 2 other processes 12->33 140 Wscript starts Powershell (via cmd or directly) 17->140 142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->142 144 Suspicious execution chain found 17->144 146 Creates processes via WMI 17->146 112 127.0.0.1 unknown unknown 19->112 file6 signatures7 process8 file9 122 Suspicious powershell command line found 21->122 124 Creates multiple autostart registry keys 21->124 126 Writes to foreign memory regions 21->126 35 powershell.exe 21->35         started        37 csc.exe 21->37         started        48 3 other processes 21->48 128 Injects a PE file into a foreign processes 24->128 40 powershell.exe 24->40         started        50 4 other processes 24->50 130 Creates processes via WMI 26->130 42 cmd.exe 1 28->42         started        44 conhost.exe 28->44         started        98 C:\Users\user\AppData\Local\...\4eojpdpz.dll, PE32 30->98 dropped 46 cvtres.exe 1 30->46         started        52 2 other processes 33->52 signatures10 process11 file12 54 cmd.exe 35->54         started        56 conhost.exe 35->56         started        88 C:\Users\user\AppData\Local\...\taybkgab.dll, PE32 37->88 dropped 58 cvtres.exe 37->58         started        60 cmd.exe 40->60         started        62 conhost.exe 40->62         started        64 taskkill.exe 1 42->64         started        66 3 other processes 42->66 68 2 other processes 48->68 90 C:\Users\user\AppData\Local\...\ofhkzvgp.dll, PE32 50->90 dropped 70 3 other processes 50->70 process13 process14 72 conhost.exe 54->72         started        74 taskkill.exe 54->74         started        76 taskkill.exe 54->76         started        78 taskkill.exe 54->78         started        80 conhost.exe 60->80         started        82 taskkill.exe 60->82         started        84 taskkill.exe 60->84         started        86 taskkill.exe 60->86         started       
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.NanoShield
Link:
https://tip.neiki.dev/file/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c
Threat name:
Script-JS.Trojan.NanoShield
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 05:30:39 UTC
File Type:
Text (VBS)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7qcbtwtfa6ldbur2r5c3fpcintemog3wlkqd4uwcch3faufjj6a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260228-meb1wsay4f/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Adds Run key to start application
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7e020ced3283cb18691d47a2d95e243664638dbb2d501f296108fb282854a7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments