MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8
SHA3-384 hash: 621cb55d41d872f0c1e66306ae886939c50457df465ea4e843dcbb6711b4918b875fb9408683e34887e9b5cbf641bf23
SHA1 hash: 16f4fb0839cfb4d008537d87906aee0621646c27
MD5 hash: 9433ed9d985d6f93e0a168c417b7f01c
humanhash: utah-cup-steak-kansas
File name:verifyhuman476.b-cdn.net.ps1
Download: download sample
File size:151 bytes
First seen:2024-08-08 18:35:46 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJLNyAmarBanfknMVpvF7HMV20RtkpfhAi11H6Bto2kO7Heh:snyuW5VpvF7HMEvpfhJDH6ByDO7Hs
TLSH T168C08C316588EE88C70EB0244C0E0E9F2020C9A6E6F01190F9A2084E7900E14D32440C
Reporter aachum
Tags:ps1


Avatar
iamaachum
https://verifyhuman476.b-cdn.net/human-verify-system.html

Asked to paste PowerShell script through Win+R

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b51013aa5b40be0a9fe099
Tags:
Execution Generic Infostealer Network Stealth
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/66b510131ef486c99c80518c/reports/00427555-fdf8-4b86-a9c4-e30e5cc6320b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490187
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Very long command line found
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490187 Sample: verifyhuman476.b-cdn.net.ps1 Startdate: 08/08/2024 Architecture: WINDOWS Score: 100 69 microsoftcamp-v1.b-cdn.net 2->69 71 microzips-v1.b-cdn.net 2->71 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 6 other signatures 2->85 12 powershell.exe 11 2->12         started        15 svchost.exe 1 1 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 dnsIp5 103 Encrypted powershell cmdline option found 12->103 105 Powershell drops PE file 12->105 20 powershell.exe 7 12->20         started        22 conhost.exe 12->22         started        77 127.0.0.1 unknown unknown 15->77 signatures6 process7 process8 24 mshta.exe 16 20->24         started        dnsIp9 73 microsoftcamp-v1.b-cdn.net 89.187.169.47, 443, 49704 CDN77GB Czech Republic 24->73 59 C:\Users\user\AppData\Local\...\micro-v1[1], PE32 24->59 dropped 99 Suspicious powershell command line found 24->99 101 Very long command line found 24->101 29 powershell.exe 16 45 24->29         started        file10 signatures11 process12 dnsIp13 75 microzips-v1.b-cdn.net 185.93.1.249, 443, 49708, 49711 CDN77GB Czech Republic 29->75 61 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 29->61 dropped 63 C:\Users\user\AppData\Local\...\lang-1058.dll, PE32 29->63 dropped 65 C:\Users\user\AppData\Local\...\lang-1049.dll, PE32 29->65 dropped 67 6 other malicious files 29->67 dropped 111 Loading BitLocker PowerShell Module 29->111 34 Setup.exe 7 29->34         started        38 conhost.exe 29->38         started        file14 signatures15 process16 file17 51 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 34->51 dropped 53 C:\Users\user\AppData\Roaming\...\StrCmp.exe, PE32 34->53 dropped 87 Maps a DLL or memory area into another process 34->87 89 Found direct / indirect Syscall (likely to bypass EDR) 34->89 40 more.com 3 34->40         started        44 StrCmp.exe 37 34->44         started        signatures18 process19 file20 55 C:\Users\user\AppData\Local\...\jsmblimyxgr, PE32 40->55 dropped 57 C:\Users\user\AppData\...\ShowbizFender.pif, PE32 40->57 dropped 91 Drops PE files with a suspicious file extension 40->91 93 Writes to foreign memory regions 40->93 95 Found hidden mapped module (file has been removed from disk) 40->95 97 2 other signatures 40->97 46 ShowbizFender.pif 1 40->46         started        49 conhost.exe 40->49         started        signatures21 process22 signatures23 107 Switches to a custom stack to bypass stack traces 46->107 109 Found direct / indirect Syscall (likely to bypass EDR) 46->109
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbh4k5mtl5uhu4xxjhimmjwnd55v3csp3dctagwzhvuqgc4gst4a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/240809-k48eaayflk/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://microsoftcamp-v1.b-cdn.net/micro-v1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 c84fc575935f687a72f749d0c626cd1f7b5d8a4fd8c5301ad93d69030b8694f8

(this sample)

Executable exe 0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b

  
Link
https://tria.ge/240808-w2d87sxbpq
  
Delivery method
Distributed via web download
  
Dropping
SHA256 0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b
  
Dropping
MD5 de219cb5f5073be86d74f4bee29d9e79

Comments