MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279
SHA3-384 hash:	7a242e7266c0fb99e1eb005a93902d3e24f7ae83110a9a940ccf06d2ae7fbf13784ce6a61cad1025294ae71c92f55dfe
SHA1 hash:	deec7596b98971d022168e9d6c753c63b6f35c4c
MD5 hash:	3c74d21543d6ff780df842652d890f72
humanhash:	social-video-october-magnesium
File name:	codigo.ps1
Download:	download sample
File size:	868 bytes
First seen:	2025-12-22 16:43:36 UTC
Last seen:	2025-12-23 07:56:36 UTC
File type:	ps1
MIME type:	text/plain
ssdeep	12:s8U0lu/LCUcQ9Oqa3tgB1O+PPzazLgyaIS1PKC2Gs8BxS55ksz8vJpp6aFCIq29:ELCUnLa34hPP+zLw1PKC2Gxo+DpBTt
Threatray	57 similar samples on MalwareBazaar
TLSH	T1F011F418375F7DE409D484778E8928EF961101AC1D6415D837CDC2516F6B1CF167B30C
Magika	powershell
Reporter	ShadowOpCode
Tags:	booking melasio-com miteamss-com partner-hotel-app ps1

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6949755fa6c88bb4cc238973

Tags:

smarts micro sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 powershell powershell

Link:

https://www.filescan.io/uploads/6949755fe126b9ff438cbbb1/reports/e7b74391-a6df-4bd1-9d96-58266c19dd0a/overview

Verdict:

Malicious

Labled as:

PowerShell/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279

Verdict:

Malicious

File Type:

ps1

First seen:

2025-12-22T17:00:00Z UTC

Last seen:

2025-12-22T17:40:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.APosT.blvr

Link:

https://opentip.kaspersky.com/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279

Verdict:

Malware

YARA:

1 match(es)

Tags:

Base64 Block Contains Base64 Block DeObfuscated PowerShell

Link:

https://app.malva.re/file/3c74d21543d6ff780df842652d890f72

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279

Threat name:

Script-PowerShell.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-22 16:44:15 UTC

File Type:

Text (PowerShell)

AV detection:

5 of 24 (20.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wafnlzo5cqcn53wc6cforuupeu3kikawtdsic67xgc7z33lmj4q._file

Verdict:

malicious

Label(s):

castlerat

0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3

0fa8d2dce87fd3e27c2543c9dcf2931fdafd856ca4e14ee21531fb942dc3b36e

41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8

c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919

e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4

error

+ 47 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection execution persistence spyware stealer

Link:

https://tria.ge/reports/251222-t81dxawndv/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Clipboard Data

Executes dropped EXE

Reads user/profile data of web browsers

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://partner-hotel-app.com?eggydeixrrerrgh

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample