MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5
SHA3-384 hash:	d90db7d89c433a137945501cea9717cb06ee6b277c1b99d447c731004f4ecc0b7b7411912c7b3efd98fbc06cd45cff98
SHA1 hash:	77607674183e6a72f49f86f7b00cb7be85ef122f
MD5 hash:	22ca54ba63f2e386fc988b0ac625464e
humanhash:	four-massachusetts-edward-wolfram
File name:	ftycg.js
Download:	download sample
File size:	40'252 bytes
First seen:	2026-03-31 03:15:31 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	384:12tIX9OtK8KaRaVMDYW6nwAa8KEAw2NxwpFC6Q5nG:12tIX9OtKd5VMiwAa8s7an
TLSH	T1C9036815729F8B1430735A8946AB07344BAF7AAE1FBE40C5448EDEC94FD35128C8B7A7
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	Anonymous
Tags:	js

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

Sanesecurity.Malware.26866.JsHeur.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cb3c813a18a6e1ddefeb11

Tags:

shell virus sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 nemucod obfuscated powershell powershell powershell repaired

Link:

https://www.filescan.io/uploads/69cb3c80972c219c8d72e387/reports/34c8925b-6805-4954-99a1-8333d9d4e02c/overview

Verdict:

Malicious

Labled as:

PowerShell/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5

Verdict:

Malicious

File Type:

First seen:

2026-03-31T00:27:00Z UTC

Last seen:

2026-03-31T03:39:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Generic

Link:

https://opentip.kaspersky.com/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5/

Verdict:

Malicious

Threat:

Trojan.JS.SAgent

Link:

https://tip.neiki.dev/file/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5

Threat name:

Script-JS.Downloader.Nemucod

Status:

Malicious

First seen:

2026-03-31 03:16:21 UTC

File Type:

Text (JavaScript)

AV detection:

7 of 24 (29.17%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4kdbckftobx32agt7q3kfxdythxydixwfm7f2sgbklbki6qtwdkq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

collection defense_evasion discovery execution persistence

Link:

https://tria.ge/reports/260331-dslb2sfz5v/

Behaviour

Enumerates system info in registry

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Indicator Removal: File Deletion

.NET Reactor proctector

Checks computer location settings

Drops startup file

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2861128b3706fbd00d3fc36a2dc7899ef81a2f62b3e5d48c152c2a47a13b0d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/add2f6ce-4e79-4327-a1fa-3d9c7e2ba4ce

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample