MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3
SHA3-384 hash: ba24e04ef0bdaf77f91e0db4e0eb55cc6f0e7fdf0d081be1b0edda32eb8ff4b6429ce412cef16b1feed6753ba79659ff
SHA1 hash: 8a7f1a3222e044a3f70f6a95596619903842ade1
MD5 hash: 5bc46149958e7b561037f81898e022a6
humanhash: tango-mississippi-winner-earth
File name:2.hta
Download: download sample
File size:1'306 bytes
First seen:2026-06-10 11:20:41 UTC
Last seen:2026-06-10 13:43:49 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hP2AHFj2bu66olytYt+Hra5+gg4rOUGHAel9WgOMC+:t2E+v6oljHGgiRC+
TLSH T19021B1544C08C748A83223B5DB7AE744F9E355A3320BEF52744CE9836F35126D964EEA
Magika html
Reporter abuse_ch
Tags:hta

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Js.Downloader.Generic-6296419-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a29489c34eaf30d8ce477b4
Tags:
infosteal stration trojan sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 crypto expand fingerprint lolbin packed reconnaissance timeout
Link:
https://www.filescan.io/uploads/6a2948911f652d6865750507/reports/4b0056fc-5465-4d16-adc6-86cd0d74631e/overview
Verdict:
Malicious
Labled as:
Js.Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3
Verdict:
Malicious
File Type:
hta
First seen:
2026-06-09T15:47:00Z UTC
Last seen:
2026-06-09T16:18:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1925784
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1925784 Sample: 2.hta Startdate: 10/06/2026 Architecture: WINDOWS Score: 92 37 store1.gofile.io 2->37 39 api.telegra.ph 2->39 41 api.ipify.org 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 10 mshta.exe 2 2->10         started        signatures3 process4 dnsIp5 43 95.85.229.133, 49715, 8080 OC-NETWORKGB Estonia 10->43 29 C:\Users\user\AppData\...\svchost_update.tmp, PE32+ 10->29 dropped 14 cmd.exe 1 10->14         started        file6 process7 process8 16 svchost_update.tmp 298 14->16         started        20 conhost.exe 14->20         started        22 timeout.exe 1 14->22         started        dnsIp9 31 api.telegra.ph 149.154.164.13, 443, 49726, 49727 TELEGRAMVG United Kingdom 16->31 33 store1.gofile.io 45.112.123.227, 443, 49725 GOFILEFR France 16->33 35 api.ipify.org 104.26.12.205, 443, 49724 CLOUDFLARENET-CloudflareIncUS Canada 16->35 45 Tries to harvest and steal browser information (history, passwords, etc) 16->45 47 Tries to steal Crypto Currency Wallets 16->47 49 Queries temperature or sensor information (via WMI often done to detect virtual machines) 16->49 51 Found direct / indirect Syscall (likely to bypass EDR) 16->51 24 powershell.exe 15 16->24         started        signatures10 process11 signatures12 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->61 27 conhost.exe 24->27         started        process13
Score:
16%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjxbhtsbvpc766zheabn45v24fsvjnflffona7kb2ehhmsspfhzq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/260610-nfwmcsay7l/
Behaviour
Delays execution with timeout.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
cURL User-Agent
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MalScript_Tricks
Create hunting rule
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HTML Application (hta) hta ba6e13ce41abc5ff7b272002de76bae16554b4ab295cd07d41d10e764a4f29f3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3862360/
  
Delivery method
Distributed via web download

Comments