MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 11 File information Comments

SHA256 hash:	e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e
SHA3-384 hash:	a8b3c15fa5f9e0fed9983ccde8ba553fea229b69e0f432786ad7bf66aff581f4239dcf993fc323eb93131029fe45baaf
SHA1 hash:	6959b53308de6b8aedb6d12fa54d22f357dcc75e
MD5 hash:	ae94dbebfe2e99697e4ec7fa9e168ae2
humanhash:	crazy-bluebird-carpet-delaware
File name:	V7JxRYCP.posh
Download:	download sample
File size:	74'428 bytes
First seen:	2024-01-04 01:24:51 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/html
ssdeep	1536:YYZzFKOkuqp1VagQNOVzocyszAyAiQOlHKbnFMBMv9IK8eM2:RTkuqpLvOOVzocysrhAOkO+
TLSH	T1DF7329C91298EFFBC36765A6D7F5D6298E1102208F340CB1E7DF811F958582A4A32F79
TrID	87.2% (.ASPX) Microsoft ASP.NET Web Form (20500/1/4) 12.7% (.HTML) HyperText Markup Language (3000/1/1)
Reporter	pmelson
Tags:	ASPXSpy ps1 webshell

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

Vendor Threat Intelligence

Detection(s):

Legacy.Trojan.Agent-36242

YARA.ASPXspy2.UNOFFICIAL

SecuriteInfo.com.JS.Agent-981.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm aspxspy evasive hacktool masquerade

Link:

https://www.filescan.io/uploads/659608efb855eb3693109d0f/reports/04fb5e18-5aab-475d-ab22-f255e20007bc/overview

Verdict:

Malicious

Labled as:

Trojan.VBS.Agent

Link:

https://www.hybrid-analysis.com/sample/e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1369669

Signature

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

ASCII

Link:

https://malprob.io/report/e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e/

Threat name:

Script-ASP.Backdoor.ASpy

Status:

Malicious

First seen:

2024-01-04 01:25:06 UTC

File Type:

Text (HTML)

Extracted files:

AV detection:

18 of 22 (81.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4tuxgux3pkydblj4cienlh3iwcpinogzo4y23mg3wqbcmu34bnpa._file

Malware family:

APT27

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e4e97352fb7a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ASPXspy2 Create hunting rule
Author:	Florian Roth
Description:	Web shell - file ASPXspy2.aspx
Reference:	not set

Rule name:	ASPXspy2 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Web shell - file ASPXspy2.aspx
Reference:	not set

Rule name:	ASPXspy2_RID29DB Create hunting rule
Author:	Florian Roth
Description:	Web shell - file ASPXspy2_RID29DB.aspx
Reference:	not set

Rule name:	Base64_decoding Create hunting rule
Author:	iam-py-test
Description:	Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)

Rule name:	CN_Honker_Webshell_ASPX_aspx Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Webshell from CN Honker Pentest Toolset - file aspx.txt
Reference:	Disclosed CN Honker Pentest Toolset

Rule name:	CN_Honker_Webshell_ASPX_aspx_RID31B3 Create hunting rule
Author:	Florian Roth
Description:	Webshell from CN Honker Pentest Toolset - file aspx.txt
Reference:	Disclosed CN Honker Pentest Toolset

Rule name:	IronTiger_ASPXSpy Create hunting rule
Author:	Cyber Safety Solutions, Trend Micro
Description:	ASPXSpy detection. It might be used by other fraudsters
Reference:	http://goo.gl/T5fSJC

Rule name:	OBFUS_PowerShell_Common_Replace Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the common usage of replace for obfuscation

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	Txt_aspx Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Chinese Hacktool Set - Webshells - file aspx.jpg
Reference:	http://tools.zjqhr.com/

Rule name:	Webshell_Txt_aspx_RID2E01 Create hunting rule
Author:	Florian Roth
Description:	Chinese Hacktool Set - Webshells - file aspx.jpg
Reference:	http://tools.zjqhr.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ps1 e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e

(this sample)

Link

https://www.virustotal.com/gui/file/e4e97352fb7ab030ad3c1208d59f68b09e86b8d97731adb0dbb40226537c0b5e/detection

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample