MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449
SHA3-384 hash: 8d495948a63663f92b121ba87dcfa5df35c25afcc8dff83cf97b30b0728d658bd25223d1be8f6341b89ec54b80f96432
SHA1 hash: 8576f6d96296610b576fabf6c6173fb9c7c511d2
MD5 hash: 2d61e97d85b48fb60cbeaea7f8b5e54a
humanhash: bluebird-wisconsin-harry-carolina
File name:cfr4.txt.ps1
Download: download sample
File size:91'874 bytes
First seen:2025-04-02 08:27:23 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:twSBW4wR/VBI4x86U/2d422HMq1q4qhu4Hjn7YHEacHlyvW:2mW4wRHrx866h/vEp3
TLSH T1C9931212422F982C8032134FA4DF8DCA3B730D54EEE9065DBFDF8ACAE49644D536296D
Magika txt
Reporter 0x746f6d6669
Tags:astralstealer ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ecf764cfd0a37f830c2aaa
Tags:
spawn virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67ecf52d631830704a8e3550/reports/7893b732-f23c-4c0d-ba8b-a53e4bf6ec07/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1654441
Signature
Allocates memory in foreign processes
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654441 Sample: cfr4.txt.ps1 Startdate: 02/04/2025 Architecture: WINDOWS Score: 100 96 paronalki.space 2->96 98 blaspheme-herbal.shop 2->98 116 Malicious sample detected (through community Yara rule) 2->116 118 Uses an obfuscated file name to hide its real file extension (double extension) 2->118 120 Joe Sandbox ML detected suspicious sample 2->120 11 msiexec.exe 80 40 2->11         started        14 powershell.exe 15 29 2->14         started        18 DesktopX.exe 2->18         started        20 svchost.exe 1 2 2->20         started        signatures3 process4 dnsIp5 80 C:\Users\user\AppData\Local\...\DesktopX.exe, PE32 11->80 dropped 82 C:\Users\user\AppData\Local\...\dx0.dll, PE32 11->82 dropped 84 C:\Users\user\AppData\Local\...\IconX.dll, PE32 11->84 dropped 86 C:\Users\user\AppData\Local\...\DirectGUI.dll, PE32 11->86 dropped 22 DesktopX.exe 10 11->22         started        112 paronalki.space 104.21.80.1, 443, 49695 CLOUDFLARENETUS United States 14->112 150 Found many strings related to Crypto-Wallets (likely being stolen) 14->150 152 Loading BitLocker PowerShell Module 14->152 26 msedge.exe 14->26         started        29 conhost.exe 14->29         started        31 msiexec.exe 3 14->31         started        88 C:\Users\user\AppData\Local\...\qolxfhqqibp, PE32+ 18->88 dropped 154 Maps a DLL or memory area into another process 18->154 33 cmd.exe 18->33         started        35 MonMonZhn_test.exe 18->35         started        114 127.0.0.1 unknown unknown 20->114 file6 signatures7 process8 dnsIp9 72 C:\Users\user\AppData\...\DesktopX.exe, PE32 22->72 dropped 74 C:\Users\user\AppData\Roaming\...\dx0.dll, PE32 22->74 dropped 76 C:\Users\user\AppData\Roaming\...\IconX.dll, PE32 22->76 dropped 78 C:\Users\user\AppData\...\DirectGUI.dll, PE32 22->78 dropped 140 Contains functionalty to change the wallpaper 22->140 142 Contains functionality to automate explorer (e.g. start an application) 22->142 144 Contains functionality to register a low level keyboard hook 22->144 148 3 other signatures 22->148 37 DesktopX.exe 4 22->37         started        108 239.255.255.250 unknown Reserved 26->108 146 Maps a DLL or memory area into another process 26->146 41 msedge.exe 26->41         started        44 msedge.exe 26->44         started        46 msedge.exe 26->46         started        50 2 other processes 26->50 48 conhost.exe 33->48         started        file10 signatures11 process12 dnsIp13 68 C:\Users\user\AppData\...\MonMonZhn_test.exe, PE32+ 37->68 dropped 70 C:\Users\user\AppData\Local\Temp\bemisk, PE32+ 37->70 dropped 132 Contains functionalty to change the wallpaper 37->132 134 Contains functionality to automate explorer (e.g. start an application) 37->134 136 Found hidden mapped module (file has been removed from disk) 37->136 138 4 other signatures 37->138 52 MonMonZhn_test.exe 37->52         started        56 cmd.exe 37->56         started        102 150.171.28.12, 443, 49768 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->102 104 20.125.209.212, 443, 49763, 49780 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->104 106 20 other IPs or domains 41->106 file14 signatures15 process16 dnsIp17 100 blaspheme-herbal.shop 172.67.202.129, 443, 49698, 49699 CLOUDFLARENETUS United States 52->100 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->122 124 Found many strings related to Crypto-Wallets (likely being stolen) 52->124 126 Tries to harvest and steal browser information (history, passwords, etc) 52->126 130 5 other signatures 52->130 58 chrome.exe 52->58         started        61 msedge.exe 52->61         started        128 Switches to a custom stack to bypass stack traces 56->128 63 conhost.exe 56->63         started        signatures18 process19 dnsIp20 110 192.168.2.6, 138, 443, 49289 unknown unknown 58->110 65 chrome.exe 58->65         started        process21 dnsIp22 90 www.google.com 142.250.176.196, 443, 49711, 49712 GOOGLEUS United States 65->90 92 plus.l.google.com 142.250.72.110, 443, 49717 GOOGLEUS United States 65->92 94 3 other IPs or domains 65->94
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449/
Threat name:
Script.Trojan.Powdow
Create hunting rule
Status:
Malicious
First seen:
2025-04-02 08:28:21 UTC
File Type:
Text
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4i7jn4nq45m2zai4h3oarcwr2r2hjp2aipdirkhbkq4n42igkreq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250402-kc55vatwgy/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments