MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e
SHA3-384 hash: 1b1f4ed196b706f7e5d3ff919b8b4431cebfdd7cba6f95659f8c44fb7c50634677490c93ebb24f4f1451e7a73aee2d1a
SHA1 hash: 9e51148a07b84511bf5c04910ebaba17d67552b6
MD5 hash: b55ce8d294efabef3959967e844e7f18
humanhash: romeo-timing-illinois-yellow
File name:sync.hta
Download: download sample
File size:36'112'937 bytes
First seen:2026-03-17 20:36:56 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 49152:jq/p5CPEusdbmNZf3/qMTlE67orW3FcEJ4lGMnhmop5n6+VtEZnLHchaR4Sn9jIb:k
TLSH T1FC8733335B27FD7E4B64023CB06B0D453DB01ECB80A896F897D978F751AEB1114AE1A9
TrID 62.5% (.SMI/SMIL) Synchronized Multimedia Integration Language (5001/2/2)
37.4% (.HTML) HyperText Markup Language (3000/1/1)
Magika html
Reporter smica83
Tags:hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b9bb8a93b644ca466b18f6
Tags:
autorun shell virus sage
Gathering data
Verdict:
Suspicious
Labled as:
TR/VBS.Obfuscated
Link:
https://www.hybrid-analysis.com/sample/dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e
Verdict:
Malicious
File Type:
hta
Detections:
Trojan-Downloader.JS.SLoad.sb HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Generic Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Vimditator.nexk Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.HTA.SLoad.gen PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.VBS.SAgent.sb
Link:
https://opentip.kaspersky.com/dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885217
Signature
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885217 Sample: sync.hta Startdate: 17/03/2026 Architecture: WINDOWS Score: 100 137 mr-b01.tm-azurefd.net 2->137 139 casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net 2->139 141 api.weatherchecker.live 2->141 161 Sigma detected: Schedule system process 2->161 163 Sigma detected: Drops script at startup location 2->163 165 Sigma detected: Suspicious MSHTA Child Process 2->165 167 6 other signatures 2->167 11 mshta.exe 2 2->11         started        14 wscript.exe 2->14         started        17 svchost-net.exe 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 119 C:\Users\user\AppData\Local\Temp\38B72D8.js, ASCII 11->119 dropped 22 cscript.exe 1 3 11->22         started        181 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->181 183 Suspicious execution chain found 14->183 185 WScript reads language and country specific registry keys (likely country aware script) 14->185 25 svchost-net.exe 14->25         started        125 104.21.82.70, 443, 49711, 49717 CLOUDFLARENETUS United States 17->125 127 104.26.12.205, 443, 49714, 49721 CLOUDFLARENETUS United States 17->127 133 3 other IPs or domains 17->133 28 cmd.exe 17->28         started        30 cmd.exe 17->30         started        39 12 other processes 17->39 129 ip-api.com 20->129 131 ip-api.com 20->131 135 4 other IPs or domains 20->135 33 cmd.exe 20->33         started        35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        41 25 other processes 20->41 file6 signatures7 process8 dnsIp9 117 tmp_b64d7528-e478-...5b-11372024aaf0.exe, PE32+ 22->117 dropped 43 tmp_b64d7528-e478-4cff-a15b-11372024aaf0.exe 9 22->43         started        47 conhost.exe 22->47         started        143 ip-api.com 25->143 145 api.weatherchecker.live 25->145 147 api.ipify.org 25->147 49 16 other processes 25->49 51 2 other processes 28->51 187 Suspicious powershell command line found 30->187 53 2 other processes 30->53 55 2 other processes 33->55 57 4 other processes 37->57 59 24 other processes 39->59 61 48 other processes 41->61 file10 signatures11 process12 file13 121 C:\Users\user\AppData\...\svchost-net.exe, PE32+ 43->121 dropped 123 C:\Users\user\...\CommonServicesUpdate.vbs, ASCII 43->123 dropped 175 Drops VBS files to the startup folder 43->175 63 svchost-net.exe 43->63         started        66 cmd.exe 1 43->66         started        69 cmd.exe 1 43->69         started        177 Suspicious powershell command line found 49->177 71 conhost.exe 49->71         started        73 powershell.exe 49->73         started        75 conhost.exe 49->75         started        77 29 other processes 49->77 179 Loading BitLocker PowerShell Module 51->179 79 2 other processes 59->79 81 6 other processes 61->81 signatures14 process15 dnsIp16 149 ip-api.com 208.95.112.1, 49706, 49708, 49716 TUT-ASUS United States 63->149 151 104.26.13.205, 443, 49713, 49734 CLOUDFLARENETUS United States 63->151 153 2 other IPs or domains 63->153 83 cmd.exe 1 63->83         started        85 cmd.exe 1 63->85         started        87 cmd.exe 63->87         started        98 14 other processes 63->98 155 Suspicious powershell command line found 66->155 157 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 66->157 159 Uses schtasks.exe or at.exe to add and modify task schedules 66->159 90 conhost.exe 66->90         started        92 schtasks.exe 1 66->92         started        94 conhost.exe 69->94         started        96 reg.exe 1 1 69->96         started        signatures17 process18 signatures19 100 powershell.exe 15 83->100         started        103 conhost.exe 83->103         started        105 powershell.exe 40 85->105         started        107 conhost.exe 85->107         started        173 Suspicious powershell command line found 87->173 109 conhost.exe 98->109         started        111 powershell.exe 98->111         started        113 conhost.exe 98->113         started        115 19 other processes 98->115 process20 signatures21 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 100->169 171 Loading BitLocker PowerShell Module 105->171
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e
Gathering data
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 18:36:33 UTC
File Type:
Text
AV detection:
1 of 36 (2.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3k75jrjcogutet3xhxnfh3lq6eix3klz4igrkjdzxhuicvzjusha._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence upx
Link:
https://tria.ge/reports/260317-zd98hsbx8l/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dabfd4c52271a9324f773dda53ed70f1117da979e20d152479b9e8815729a48e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments