MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75
SHA3-384 hash: 5805920b71cc46a84de095b82555ece4eba98f600d457e9b72f73b71f619ef1f12b8fed759ba11a16b6f1e08233e3610
SHA1 hash: 75f57b4c3d66ad5d0dddfa7aa87d00631aa1d748
MD5 hash: eaa9920fa3a8b10ae96b56564462284f
humanhash: bluebird-twenty-spaghetti-apart
File name:tos.js.ps1
Download: download sample
File size:3'507 bytes
First seen:2025-04-21 08:07:27 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:/ZR8V2+g4WyEA/1Ued0NREmlUi1pFg3HSXKpOqSP+BTvnyvBhwqOtN+:Pcg4R6NEmlUi1pFAHSXhWvnyfitN+
Threatray 3 similar samples on MalwareBazaar
TLSH T18E7140141E6C90C6C381965FC776C66D080EE942690F9C9136DCCFBDC3B28293AA9377
Magika txt
Reporter zhuzhu0009
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
SG SG
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Obfus-8.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6805fdeb280f5f89a0d2b21e
Tags:
virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6805fce990767142c3dd6ea5/reports/b677d472-28f5-4b41-a7bf-55866c91ed5c/overview
Verdict:
Malicious
Labled as:
PowerShell/Obfuscated.R suspicious application
Link:
https://www.hybrid-analysis.com/sample/d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1670198
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670198 Sample: tos.js.ps1 Startdate: 21/04/2025 Architecture: WINDOWS Score: 100 103 up1-c-dn.cfd 2->103 105 edge.ds-c7114-microsoft.global.dns.qwilted-cds.cqloud.com 2->105 107 3 other IPs or domains 2->107 119 Suricata IDS alerts for network traffic 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 2 other signatures 2->125 11 msiexec.exe 80 40 2->11         started        14 Runner_Bina.exe 2->14         started        17 msedge.exe 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\...\Runner_Bina.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\...\msvcp80.dll, PE32 11->81 dropped 83 C:\Users\user\...\DivXDownloadManager.dll, PE32 11->83 dropped 22 Runner_Bina.exe 7 11->22         started        85 C:\Users\user\AppData\Local\Temp\A28415.tmp, PE32+ 14->85 dropped 155 Modifies the context of a thread in another process (thread injection) 14->155 157 Maps a DLL or memory area into another process 14->157 26 Png_Tool_alpha.exe 14->26         started        28 cmd.exe 14->28         started        97 239.255.255.250 unknown Reserved 17->97 30 msedge.exe 17->30         started        33 msedge.exe 17->33         started        35 msedge.exe 17->35         started        41 3 other processes 17->41 99 battlegridx.cfd 172.67.177.147, 443, 49682 CLOUDFLARENETUS United States 20->99 101 127.0.0.1 unknown unknown 20->101 37 conhost.exe 20->37         started        39 msiexec.exe 3 20->39         started        file6 signatures7 process8 dnsIp9 69 C:\ProgramData\...\Runner_Bina.exe, PE32 22->69 dropped 71 C:\ProgramData\backupWordpad\msvcr80.dll, PE32 22->71 dropped 73 C:\ProgramData\backupWordpad\msvcp80.dll, PE32 22->73 dropped 75 C:\ProgramData\...\DivXDownloadManager.dll, PE32 22->75 dropped 137 Switches to a custom stack to bypass stack traces 22->137 139 Found direct / indirect Syscall (likely to bypass EDR) 22->139 43 Runner_Bina.exe 5 22->43         started        141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->141 143 Tries to harvest and steal browser information (history, passwords, etc) 26->143 145 Tries to harvest and steal Bitcoin Wallet information 26->145 47 chrome.exe 26->47         started        49 conhost.exe 28->49         started        113 20.125.62.241, 443, 49755, 49794 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->113 115 20.189.173.7, 443, 49777, 49799 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->115 117 23 other IPs or domains 30->117 file10 signatures11 process12 file13 87 C:\Users\user\AppData\...\Png_Tool_alpha.exe, PE32+ 43->87 dropped 89 C:\Users\user\AppData\Local\...\8FD8977.tmp, PE32+ 43->89 dropped 147 Modifies the context of a thread in another process (thread injection) 43->147 149 Found hidden mapped module (file has been removed from disk) 43->149 151 Maps a DLL or memory area into another process 43->151 153 2 other signatures 43->153 51 Png_Tool_alpha.exe 43->51         started        55 cmd.exe 3 43->55         started        signatures14 process15 dnsIp16 109 up1-c-dn.cfd 172.67.221.21, 443, 49693, 49694 CLOUDFLARENETUS United States 51->109 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->127 129 Writes to foreign memory regions 51->129 131 Allocates memory in foreign processes 51->131 135 3 other signatures 51->135 57 chrome.exe 2 51->57         started        60 msedge.exe 51->60         started        133 Switches to a custom stack to bypass stack traces 55->133 62 conhost.exe 55->62         started        signatures17 process18 dnsIp19 111 192.168.2.6, 138, 443, 49228 unknown unknown 57->111 64 chrome.exe 57->64         started        67 msedge.exe 60->67         started        process20 dnsIp21 91 play.google.com 142.250.69.14, 443, 49714, 49715 GOOGLEUS United States 64->91 93 www.google.com 192.178.49.164, 443, 49701, 49705 GOOGLEUS United States 64->93 95 5 other IPs or domains 64->95
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75/
Threat name:
Script-PowerShell.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-21 08:08:10 UTC
File Type:
Text
AV detection:
6 of 38 (15.79%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qdxg6inykay53ok6if3fay5chy5estwqon5sdx3uerj4vnnnv2q._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051
8daa2f6bfe2c616af887f5068fe916d4312e385196ec9808b48abf81073f3be6
error
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/250421-j1k9xayn15/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/e25eb555-4344-4b32-b50d-83f8634948d8

Comments