MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e
SHA3-384 hash: 891b6b3fd9248b5b032ec7a18cfda154044cd8e4f25734d6b9761d3481e6858e7a5561d0ef738b05b5059bb4445c3cd5
SHA1 hash: 47e9997781b3cce7d4a44344c2835c1c5f58ae45
MD5 hash: 7e5aadefaaa00d62d7f1d71095627c14
humanhash: uniform-ceiling-butter-glucose
File name:stage.ps1
Download: download sample
File size:128 bytes
First seen:2026-06-25 08:58:34 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:jKMFIK8kYrUAjWLWQv5Vcu1VFnGJhDTeERfQhTu2:jKMFIJ4Yw5fPFnU/f4D
TLSH T1BDB02BF709A710CE3349D200504040471463140D40450050A158C2A50884121D047D57
Magika txt
Reporter abuse_ch
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Generic.DangerousPassword.Lazarus.D.9FA776D9.11475.21300.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3c1ea11548daf709f9841f
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin mshta
Link:
https://www.filescan.io/uploads/6a3cedf39799578a6c4b2715/reports/6dcf2b3d-e8ab-41b4-ae17-fb503fb12aca/overview
Verdict:
Malicious
Labled as:
DangerousPassword.Lazarus.D.Generic
Link:
https://www.hybrid-analysis.com/sample/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e
Verdict:
Malicious
File Type:
ps1
First seen:
2026-06-24T16:21:00Z UTC
Last seen:
2026-06-24T16:44:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agent.HTTP.C&C Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1933590
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933590 Sample: stage.ps1 Startdate: 25/06/2026 Architecture: WINDOWS Score: 68 17 pdfab.grupovtgs.site 2->17 23 Antivirus detection for URL or domain 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 AI detected malicious Powershell script 2->27 29 2 other signatures 2->29 7 powershell.exe 18 2->7         started        9 svchost.exe 1 1 2->9         started        signatures3 process4 dnsIp5 12 mshta.exe 46 7->12         started        15 conhost.exe 7->15         started        19 127.0.0.1 unknown unknown 9->19 process6 dnsIp7 21 pdfab.grupovtgs.site 104.21.64.23, 443, 49683, 49684 CLOUDFLARENET-CloudflareIncUS Canada 12->21
Score:
23%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e
Threat name:
Text.Malware.DangerousPasswordLazarus
Create hunting rule
Status:
Malicious
First seen:
2026-06-24 18:15:01 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 36 (8.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43j2kl2e77ndtqv43ouhd4sw7tgrmbozukxlrlsb5upyru72pa7a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware execution persistence ransomware spyware
Link:
https://tria.ge/reports/260625-kxz5bsav2z/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Badlisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Malware Config
Dropper Extraction:
https://pdfab.grupovtgs.site/05708de4-1369-4d05-b9b0-fc153e3d3c2d/2104e68f-ed36-4ff5-9dda-00a38d1c7bfe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/e6d3a52f44ffda39c2bcdba871f256fccd1605d9a2aeb8ae41ed1f88d3fa783e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments