MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41
SHA3-384 hash:	65a348f81e725be5adf715dfec37dd170e8b4234b65b9dcf25699e4737b8e9fc3f1b73515829467ba795a9e1160c5398
SHA1 hash:	24cbb31a785727e55b0e52025d4af056f70ddd29
MD5 hash:	81cc820e4b0f9c3e94207282f601278b
humanhash:	cat-potato-earth-spaghetti
File name:	Server_Encrypted.ps1
Download:	download sample
File size:	4'008'316 bytes
First seen:	2025-09-18 12:00:12 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	49152:HVYa9VjUNkpOUshAeofB9h3+A6/Z1+8x+Zyg7Ihqa1Ex+:A
TLSH	T1DD0633208E6D9C7942ACD33D30BF9E194BE50F91940CD9EA4BE9A1D703BEB405D6347A
Magika	powershell
Reporter	abuse_ch
Tags:	ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cbf4ee2432032546477186

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive krypt lolbin obfuscated reconnaissance regasm

Link:

https://www.filescan.io/uploads/68cbf561254431b688d2e538/reports/abf8e541-123c-49bf-80b2-7ddb60b2077e/overview

Verdict:

Suspicious

Labled as:

Trojan/PS.Obfuscated

Link:

https://www.hybrid-analysis.com/sample/e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41

Verdict:

Malicious

File Type:

ps1

First seen:

2025-09-18T03:17:00Z UTC

Last seen:

2025-09-18T03:17:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1779981

Signature

AI detected malicious Powershell script

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Query firmware table information (likely to detect VMs)

Suspicious execution chain found

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected MSILLoadEncryptedAssembly

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41

Verdict:

Malware

YARA:

1 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated PowerShell

Link:

https://app.malva.re/file/81cc820e4b0f9c3e94207282f601278b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41/

Threat name:

Script-PowerShell.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-09-18 07:02:39 UTC

File Type:

Text

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4lpjfeaiayzsb65grhnt47i34wsou2wkevxhjzvumwo4pmrxt5aq._file

Verdict:

malicious

Label(s):

fantomcrypt

Similar samples:

error

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250918-n82dbafm7y/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ps1 e2de929008063320fba689db3e7d1be5a4ea6aca256e74e6b4659dc7b2379f41

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3626003/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample