MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366
SHA3-384 hash:	e053683834ec4e3cb17a2899e72468d6fe4e454c3ec000aabbbab2dacb92fa4b424729ef36903b58e0524890c2b5bdf5
SHA1 hash:	14ca06a91e16eb8adfac9e5aeeadeb47888ef4b3
MD5 hash:	c9d2ec6151a96392e896a8228656ddfd
humanhash:	delta-mobile-winner-cup
File name:	sys_cache_1964371898.bat
Download:	download sample
File size:	921 bytes
First seen:	2026-04-28 19:29:01 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	24:w3b18JkI7HlcWHlcSLiIlcLFY7JlcVcIlcL23t/DXBPQHs77lcIn:Iaq1/tLYJqVsL2RRPQOuIn
TLSH	T1EE1108ABB61BEC484A4FF8D0465F05236D76A893925601C2A075C530ADFB265D3263CA
Magika	batch
Reporter	BastianHein
Tags:	bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

BatchScript

Details

BatchScript

varying reportable information from embedded commands and any observed URLs

Link:

https://research.acce.ciphertechsolutions.com/results/c61a6fb4-21be-489a-91c2-1af7bc515d90/

Malware family:

n/a

ID:

File name:

_d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366.txt

Verdict:

Malicious activity

Analysis date:

2026-04-28 19:29:24 UTC

Tags:

auto-sch

Link:

https://app.any.run/tasks/5348550f-c8de-426d-a5ff-88af054aa695

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/63933/

Detection(s):

SecuriteInfo.com.Heur.BZC.PZQ.Boxter.794.9E871368.27658.13946.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Forced system process termination

Creating a file in the Windows subdirectories

Sending an HTTP GET request

Creating a file in the system32 subdirectories

Launching a process

DNS request

Connection attempt

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cmd evasive lolbin persistence powershell schtasks

Link:

https://www.filescan.io/uploads/69f10a8c8a82359247b82957/reports/55fb9b6d-e628-4d4e-9836-4c0cd6ea58dc/overview

Verdict:

Malicious

Labled as:

BZC.PZQ.Boxter.794

Link:

https://www.hybrid-analysis.com/sample/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366

Verdict:

Clean

File Type:

text

First seen:

2026-04-29T17:46:00Z UTC

Last seen:

2026-04-29T18:11:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366/results?tab=lookup

Score:

71%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2trpr5nci67vhdsv5w3tzpl66fgnq2sh3e4axjplti7y64il6nta._file

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion execution persistence

Link:

https://tria.ge/reports/260428-x7cs1ady3w/

Behaviour

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in System32 directory

Command and Scripting Interpreter: PowerShell

Obfuscated Files or Information: Command Obfuscation

Badlisted process makes network request

Malware Config

Dropper Extraction:

http://totalmassage.site/heartbeats/res/post_proc.php?fpath=a.ps1

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d4e2f8f5a247bf538e55edb73cbd7ef14cd86a47d9380ba5eb9a3f8f710bf366

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_FileFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:	FileFix social engineering with PowerShell and PHP commands