MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8
SHA3-384 hash: d616924460647e78df6bb1e10cc9cc1e3a75cdac53d0039f10fb5f5f17bc98abc1e09589990951a1255f97bcab9073f8
SHA1 hash: f0f6ae018eb64c3171bb8a002e40859c8b837062
MD5 hash: d9d2a405cdb5b5853e00aa33080c9ae6
humanhash: alaska-asparagus-angel-thirteen
File name:SecurityPatch.ps1
Download: download sample
File size:13'439 bytes
First seen:2026-04-01 11:59:39 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:evq5DU0OErBNRjijnXYzrWRxTQlcdXnWqCPuHHwOMae4uYSqGgfFPjwqaalHF53j:4UaAduYKg8gwS9XqdluS5uf2
Threatray 13 similar samples on MalwareBazaar
TLSH T19552F88763855FACB3854CEC9514712B2CF1C56F3C29209EFBE25DD7B83AE11A5A0A70
TrID 50.0% (.INI) Generic INI configuration (1000/1)
50.0% (.JSON) JSON array (generic) (1000/1)
Magika powershell
Reporter aachum
Tags:celebration-internet-cc dcdivas-com dropped-by-ACRStealer ps1 ZigClipper


Avatar
iamaachum
https://dcdivas.com/wp-includes/pomo/SecurityPatch.ps1

C2: https://celebration-internet.cc/

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cd08ce6363ca5d27f08b9f
Tags:
dropper cobalt small
Verdict:
Suspicious
Labled as:
TR/SNH
Link:
https://www.hybrid-analysis.com/sample/bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8
Result
Gathering data
Verdict:
Malicious
File Type:
ps1
First seen:
2026-03-31T18:50:00Z UTC
Last seen:
2026-03-31T19:40:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1892041
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892041 Sample: SecurityPatch.ps1 Startdate: 01/04/2026 Architecture: WINDOWS Score: 96 31 k8s-ingressn-bscmainn-3f9a19480b-888004326.us-east-1.elb.amazonaws.com 2->31 33 dcdivas.com 2->33 35 2 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 2 other signatures 2->51 7 powershell.exe 15 33 2->7         started        12 kxcqmequ.exe 1 2->12         started        14 svchost.exe 1 1 2->14         started        16 kxcqmequ.exe 1 2->16         started        signatures3 process4 dnsIp5 41 dcdivas.com 158.106.138.96, 443, 49681 PRIVATESYSTEMSUS United States 7->41 29 C:\Users\user\AppData\...\rdVUJgmAoiLx.exe, PE32+ 7->29 dropped 59 Loading BitLocker PowerShell Module 7->59 61 Powershell drops PE file 7->61 18 rdVUJgmAoiLx.exe 1 14 7->18         started        23 conhost.exe 7->23         started        25 WmiPrvSE.exe 7->25         started        63 Unusual module load detection (module proxying) 12->63 43 127.0.0.1 unknown unknown 14->43 file6 signatures7 process8 dnsIp9 37 k8s-ingressn-bscmainn-3f9a19480b-888004326.us-east-1.elb.amazonaws.com 54.82.161.29, 443, 49683 AMAZON-AESUS United States 18->37 39 celebration-internet.cc 104.21.4.73, 443, 49686, 49696 CLOUDFLARENETUS United States 18->39 27 C:\Users\user\AppData\...\kxcqmequ.exe, PE32+ 18->27 dropped 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->53 55 Found stalling execution ending in API Sleep call 18->55 57 Found direct / indirect Syscall (likely to bypass EDR) 18->57 file10 signatures11
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8/
Verdict:
Malicious
Threat:
Trojan.Win32.Garvi
Link:
https://tip.neiki.dev/file/bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-01 01:43:30 UTC
File Type:
Text (PowerShell)
AV detection:
2 of 36 (5.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6cxrnoh3ef6czun6w6jakagc6eruwzpd6s4zfhqjccm3xz6g34a._file
Verdict:
malicious
Label(s):
unc_rust_clipper_001
Create hunting rule
Similar samples:
704e3edf8c6fddd58319de4378dad7502fff9ed71a0c41abcb69ec328b9a31ac
72c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1d
87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886
a82d031d99b15f8eb5a1d8cc24e55fec6d393d549edde8da9507f3cf17503ce1
b1246e4b3421acdca8b1596c6e5455f555b5b87bcff9895f2eba5164367921e8
error
f23f6d7f5778168fc9e50e3da0a16ce83b97abf95d262a5d16bea7ce12b34d99
f38f57709a23e71c14cc96a6b99dc3f55a7aeaf9c8c8332ad4d95c0c8d645a83
fafb855519e1404ba4300e7beabe44c20172042582b1658b79e589206ff5c2e6
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260401-n6l6lsey9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://dcdivas.com/wp-includes/pomo/Veritaseum.exe
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8

(this sample)

Executable exe 2d5f7e2338ade5ae68dc82758126a60fdcecd36d44d08aded3f92df35fd7bdff

  
Link
https://tria.ge/260401-m4e4vaby4n/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
  
Dropping
SHA256 2d5f7e2338ade5ae68dc82758126a60fdcecd36d44d08aded3f92df35fd7bdff
  
Dropping
MD5 bae00642c809512d5a349c95ea7e9d35

Comments