MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb
SHA3-384 hash: 74831496f9a1e226def61f882862db51ebafc306bb9e2a2a610953e617df212f1337c0a3c67e1ed8e4e5a2e89c9d7bc1
SHA1 hash: 469f068804e62b1a0b4e147cac4d7aecf70f4db6
MD5 hash: c8a17cf22cfcb4d639447143c7058b7f
humanhash: delaware-double-social-beer
File name:final_joiner.js
Download: download sample
File size:134'680 bytes
First seen:2025-06-21 12:59:46 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:fcnqxrHKQeu3VmxWSs3O9zSu8h3hU0JTOOjBn02BMy11P+vgrIUjRBzXZsU1X1jT:bjfhp
Threatray 771 similar samples on MalwareBazaar
TLSH T1AED3926F717D32B12D450AF2A68F113BDB218069479AD221541CE0CD7378B2DB2B6E6F
Magika javascript
Reporter smica83
Tags:js

Intelligence

File Origin
# of uploads :
1
# of downloads :
511
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Downloader-133.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6856ad0db06783b9ebd6723c
Tags:
connectwise ransomware dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin obfuscated
Link:
https://www.filescan.io/uploads/6856acfe3faf8fcd7d39d3ad/reports/258ad54a-fb53-4b08-b43e-c63553df3996/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.MalBehav.gen
Link:
https://www.hybrid-analysis.com/sample/bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1719880
Signature
Bypasses PowerShell execution policy
Creates HTA files
Deletes itself after installation
Found suspicious powershell code related to unpacking or dynamic code loading
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1719880 Sample: final_joiner.js Startdate: 21/06/2025 Architecture: WINDOWS Score: 100 28 pneuservisjirkalovi.com 2->28 30 bg.microsoft.map.fastly.net 2->30 40 Malicious sample detected (through community Yara rule) 2->40 42 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->42 44 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->44 46 10 other signatures 2->46 9 wscript.exe 1 20 2->9         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 32 pneuservisjirkalovi.com 104.21.61.130, 443, 49692, 49696 CLOUDFLARENETUS United States 9->32 24 C:\...\ZoomMeetingsInstall-6.4.12-59552.hta, HTML 9->24 dropped 26 C:\Users\user\AppData\Local\...\config[1].js, ASCII 9->26 dropped 50 System process connects to network (likely due to code injection or exploit) 9->50 52 JScript performs obfuscated calls to suspicious functions 9->52 54 Deletes itself after installation 9->54 56 3 other signatures 9->56 16 mshta.exe 1 9->16         started        34 127.0.0.1 unknown unknown 14->34 file6 signatures7 process8 signatures9 36 Suspicious powershell command line found 16->36 38 Bypasses PowerShell execution policy 16->38 19 powershell.exe 14 16 16->19         started        process10 signatures11 48 Found suspicious powershell code related to unpacking or dynamic code loading 19->48 22 conhost.exe 19->22         started        process12
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb
Verdict:
inconclusive
YARA:
2 match(es)
Link:
https://app.malva.re/file/c8a17cf22cfcb4d639447143c7058b7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-21 13:00:48 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xs4xz5jrf6ktmufghxfukmm73ynsq676u4bg7mbxsck53ckmqk5q._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
03e0f5dc368d33b15470dec1ff49a6311285b341c39e49a45004d00246e778b5
2d305848048af8b6f6953645803c46e428d7e0ee902bc73f629dad3404143596
50ff9fa37b9f106e32b66a29588dcea973afa5f0b1e36643d84d284547210add
6362db1cb4a5bac54192c07ed9cbb9b704f5726cca34f651c4b100e58f8a01a1
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba
989ff7fd94b9a296bf63b4b63cce2b71366e4c5e61443cce7b308a05b39e1b56
9a5fc377ed727b660737357865c7694f60c7735cfcf1652f0a6dfd0121781c38
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
error
+ 761 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250621-p82vhssthw/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Deletes itself
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcb97cf5312f953650a63dcb45319fde1b287bfea7026fb0379095dd894c82bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments