MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e
SHA3-384 hash: 449033722e26992803163649aa93b29511c7c4980b06e97bc3a0922d1c5391cdad5911541a0ea16d98f9e8d2d7e6cc05
SHA1 hash: 28091c508ed90d36aab869233536804ae1626531
MD5 hash: a052b05c84979aed0da49fa387938ec4
humanhash: paris-single-oven-jig
File name:rayidverifications.ps1
Download: download sample
File size:3'903 bytes
First seen:2025-04-23 17:18:05 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:eprbdYOG5zI8JAJtH9JF/6Bn4l7BCWBZ+5/x7YErnuoohBqjNIJtwLnw9hGRyvFB:epndYR5LSDigZGjrDoAasnw9hTdCcgcr
Threatray 9 similar samples on MalwareBazaar
TLSH T10B81CE763A16B9B6027247748C5FB984E4270FF7061A2517791DC0CA3FF9809CBE15B4
Magika powershell
Reporter JAMESWT_WT
Tags:185-7-214-3 booking ClickFix FakeCaptcha micromissingservicx86checksup-com penawarhippotherapy-com ps1 Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.10310.8662.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6809228ea37ff28e1298bc7d
Tags:
shellcode autorun spawn virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated persistence
Link:
https://www.filescan.io/uploads/680920d4a8d43a4dd610e247/reports/37314e2d-80f4-4657-b363-cc06dec94ea4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1672350
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell creates an autostart link
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1672350 Sample: rayidverifications.ps1 Startdate: 23/04/2025 Architecture: WINDOWS Score: 100 42 micromissingservicx86checksup.com 2->42 44 penawarhippotherapy.com 2->44 46 2 other IPs or domains 2->46 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus detection for URL or domain 2->56 58 .NET source code contains potential unpacker 2->58 60 4 other signatures 2->60 8 powershell.exe 16 37 2->8         started        13 sys32careservicedrive.exe 2->13         started        15 sys32careservicedrive.exe 2->15         started        17 sys32careservicedrive.exe 2->17         started        signatures3 process4 dnsIp5 48 penawarhippotherapy.com 218.208.91.140, 443, 49692 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 8->48 50 api-notification-centeriones.com 188.225.18.36, 443, 49693 TIMEWEB-ASRU Russian Federation 8->50 34 C:\Users\user\...\sys32careservicedrive.exe, PE32+ 8->34 dropped 36 C:\Users\user\AppData\Local\...\jli.dll, PE32+ 8->36 dropped 38 C:\Users\...\api-ms-win-crt-string-l1-1-0.dll, PE32+ 8->38 dropped 40 10 other malicious files 8->40 dropped 70 Found many strings related to Crypto-Wallets (likely being stolen) 8->70 72 Powershell creates an autostart link 8->72 74 Powershell drops PE file 8->74 19 sys32careservicedrive.exe 8->19         started        22 conhost.exe 8->22         started        76 Writes to foreign memory regions 13->76 78 Allocates memory in foreign processes 13->78 80 Injects a PE file into a foreign processes 13->80 24 AddInProcess32.exe 2 13->24         started        26 AddInProcess32.exe 2 15->26         started        28 AddInProcess32.exe 3 17->28         started        file6 signatures7 process8 signatures9 62 Writes to foreign memory regions 19->62 64 Allocates memory in foreign processes 19->64 66 Injects a PE file into a foreign processes 19->66 30 AddInProcess32.exe 1 2 19->30         started        68 Tries to harvest and steal Bitcoin Wallet information 24->68 process10 dnsIp11 52 micromissingservicx86checksup.com 185.7.214.3, 49694, 49700, 56001 DELUNETDE France 30->52 82 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 30->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 30->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->86 88 3 other signatures 30->88 signatures12
Score:
74%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e/
Threat name:
Script-PowerShell.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-04-23 17:12:35 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ec5ix7cuo5qcg6swup4wkitksj4agev34ui6d2pmdpm7ksnfwpa._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
unc_loader_044
Create hunting rule
Similar samples:
5c69ccc5d0dc6a4a61ad7a352643e13a87a07245f894570d70de00260cfa62d4
61c03175a8d9e2620c11a9ac586917ffe72b2cfe14f54f2521242708d5d2acae
c3d2296add15a5d982eb15cb08c1fd0fcb1cd8ce2181ccc21705fdf1902f72e8
d7eef52b275a28b267ca35152afb6e2e622b6d95e57f4e2fd12f9d2976a6a1d1
error
fc63db22c5376b6487fce373898982132169882b5b937c3ed77c092efa59869f
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250423-vvcalayjv5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://penawarhippotherapy.com/sys32careservicedrive.zip
https://api-notification-centeriones.com/no2t1i98fic87Q90Sco0Wzns9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d905d45fe2a3bb011bd2b51fcb29135493c01895df288f0f4f60decfaa4d2d9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments