MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57
SHA3-384 hash:	56dbeeea11c95da11f79e5f2849f1d05fe884f9df2d896ce82247f18ad165d8bc68d9bdb5a162559cf7efb476b9e418a
SHA1 hash:	44b996b2040ddc20f1cf07c7e070514f856b02c9
MD5 hash:	410a3c00c23b4af500311ae954d7fae5
humanhash:	diet-bakerloo-pluto-carpet
File name:	PaymentSwiftCopy.js
Download:	download sample
File size:	1'380'333 bytes
First seen:	2025-03-26 07:16:45 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:To1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1L:VplQBOr
TLSH	T112558A9A578B1C32F8C34609A97C1E708DCD0DD275E3376CDB3B40A66D19639E2A39B4
Magika	javascript
Reporter	abuse_ch
Tags:	js

Intelligence

File Origin

# of uploads :

# of downloads :

455

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Other.Malware-gen.10679.15380.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e2ad70bb84e066269f03d5

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive masquerade obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/67e3a9ff09c39f5498b58a42/reports/5e91726f-a90e-426b-b6a3-249237faedee/overview

Verdict:

Malicious

Labled as:

PowerShell/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57

Result

Verdict:

MALICIOUS

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1648811

Signature

Antivirus detection for URL or domain

JavaScript source code contains functionality to generate code involving a shell, file or stream

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57/

Threat name:

Script-JS.Trojan.Negasteal

Status:

Suspicious

First seen:

2025-03-25 14:13:47 UTC

File Type:

Text (JavaScript)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yovesafbb7hxfwymzy3vjzglirqxekkef4a62dfpddavttxkpzlq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/250326-h4gv8asm15/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Blocklisted process makes network request

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c3aa4900a10f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample