MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28
SHA3-384 hash: 1901a9b20c6005d4f950c0fbfd078c783f14d49b14a42c28ddbee0b3e87cc5dc9fafb6ea9bd67bf4b51f8c0d0d17626a
SHA1 hash: d025dd0595d9e1ad030d582c95520a4d713526ca
MD5 hash: 3434d956f45adc6f0974733aa8ecfae1
humanhash: kilo-august-steak-winter
File name:profoma invoice.js
Download: download sample
File size:316'518 bytes
First seen:2026-04-17 14:12:14 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:lurugTAUWWLGHeJ7zj9DY0n360Os5p+fm1ENRGgiKW8FTonHuEduH+Q:lurMWLGHeJ7zj9DYGK0Os5Om1IziT8x5
Threatray 143 similar samples on MalwareBazaar
TLSH T1C4641F38ADEE401AB1B3EF54AEE43497E96FB7633B0E585C1081034A4723945EDD963E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter abuse_ch
Tags:js

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Starter.157.25793.3398.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e2400345787c53e53a9c8b
Tags:
infosteal rapid
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
encrypted masquerade obfuscated repaired
Link:
https://www.filescan.io/uploads/69e23ff3799d5bf32504c92d/reports/c715e65a-9653-4b1d-925e-17487f4f6c3a/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28
Verdict:
Malicious
File Type:
js
First seen:
2026-04-16T04:30:00Z UTC
Last seen:
2026-04-19T06:31:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic Trojan.VBS.SAgent.sb Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1900186
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28/
Verdict:
Malicious
Threat:
Trojan.VBS.Agent
Link:
https://tip.neiki.dev/file/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-16 08:22:02 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rn562bvqwjeh2qyzttc5epxtxojhdxnfrgwp7rdmcrqulugtuua._file
Verdict:
malicious
Label(s):
stubrunner
Create hunting rule
Similar samples:
1772fd3b338fec1770b1dec4c254dacd701b4ed16d635d8ea70511135c8d09e1
1f09085d69f59c49d58ac2223dfb09a5b3f33d76fee6a77c99e342c1d0d6a4e8
2eb0e981d79aa8407ccf4d54246cae7c343185e9326ac8b2919c3a55c6f3141d
54606f52cc55c899e1693a7b2b82c786380e885108dd9c18f8c5170b2d22483f
7772251f9973041149d84c7bb096014b581be5e81948489c541f16576413e169
9a0c4f50526f556d0885cdd72bea9316dac5619e070071636da4e199ec922ed0
db095614140b50170b85a8d1ba61ae4b35bd69299eeed4a4ddddf5333d18a489
e46670e5539dcbb79892bdd666ec63a3992d4c8aa6a33236c7d205b059d6bd93
e85bf177349f91d23697920f51bc38fa2088d135d206cac70c1111dc79183cc4
error
f1711b2ede7039611d0d1b5208dd1322f57817485849943b92528a2f940fa141
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260417-rjbyxabx6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc5bdf6835859243ea18cce62e91f79ddc938eed2c4d67fe2360a30a2e869d28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
commented on 2026-04-17 19:49:03 UTC

Payload URL:
https://www.shcgroup-vn.com/image.png