MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9
SHA3-384 hash: aed032b2d3101e812e7ef18029769e4ae628c3c402214c9770113df212c388da3e868de93ac23f9ece16d3d4b8dda319
SHA1 hash: 41f0cdd5776b6e41c41dd359cf867d67fe08f11d
MD5 hash: d598c9f81a26f93bc7b458c7db4746a6
humanhash: victor-tennessee-green-skylark
File name:rjh.ps1
Download: download sample
File size:533 bytes
First seen:2025-05-13 07:15:20 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:XSAB1hgFNJJa9l7FhQAuM5K7/aovzsOsX+VehACoAu9tFo+XXplVe7LTS7F3Ys:XXKFNKf7Fhzud7EKehodFo+XXro7LTSn
TLSH T1CFF00E1C9E3F130470AA48F7980302F2750EA6FC11200AB1BE3B580E62C1810AF300BC
Magika powershell
Reporter JAMESWT_WT
Tags:booking ClickFix FakeCaptcha getsveriff-com getsveriff-xyz ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.17907.23199.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6822f2b84a59e5a2ce042907
Tags:
shell agent sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dropper fingerprint obfuscated opendir opendir
Link:
https://www.filescan.io/uploads/6822f1bc0b64e174c4248af5/reports/457b019a-7f36-4be5-a1e0-2a06186b67fe/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1688632
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688632 Sample: rjh.ps1 Startdate: 13/05/2025 Architecture: WINDOWS Score: 84 54 getsveriff.com 2->54 64 Antivirus detection for URL or domain 2->64 66 AI detected malicious Powershell script 2->66 68 Joe Sandbox ML detected suspicious sample 2->68 70 2 other signatures 2->70 10 powershell.exe 15 20 2->10         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 56 getsveriff.com 109.69.62.228, 49681, 80 AWMLTNL Czech Republic 10->56 52 C:\Windows\Temp\cbe92.exe, PE32+ 10->52 dropped 74 Powershell drops PE file 10->74 17 cbe92.exe 1 10->17         started        20 conhost.exe 10->20         started        58 127.0.0.1 unknown unknown 15->58 file6 signatures7 process8 signatures9 60 Multi AV Scanner detection for dropped file 17->60 62 Adds a directory exclusion to Windows Defender 17->62 22 cmd.exe 17->22         started        25 cmd.exe 1 17->25         started        27 cmd.exe 1 17->27         started        29 53 other processes 17->29 process10 signatures11 72 Adds a directory exclusion to Windows Defender 22->72 46 2 other processes 22->46 31 powershell.exe 23 25->31         started        34 conhost.exe 25->34         started        36 powershell.exe 27->36         started        38 conhost.exe 27->38         started        40 powershell.exe 23 29->40         started        42 powershell.exe 29->42         started        44 powershell.exe 29->44         started        48 103 other processes 29->48 process12 signatures13 76 Loading BitLocker PowerShell Module 31->76 50 conhost.exe 46->50         started        process14
Score:
12%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9/
Threat name:
Script-PowerShell.Trojan.Fakecaptcha
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 07:16:16 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5k3em3jbt3gos5v5wgp7jbxlu7qnsh7vfpcqqy7crtg5e6rngxmq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250513-h3vqpasjz5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 eab6466d219ecce976bdb19ff486eba7e0d91ff52bc50863e28ccdd27a2d35d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542573/
  
Delivery method
Distributed via web download

Comments