MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312
SHA3-384 hash: faebaee347233a558a41bde3e1c3b8b9d3b75a9b62a9fdea009215ea7d2095ede25ade8c2b6c83d30fee8683ac47a978
SHA1 hash: bf21aaf84a1e3b1b83a74a5613daa62c137fc3ab
MD5 hash: f516de5fe17a274fe7601ddf084674a7
humanhash: double-football-nine-salami
File name:fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312.hta
Download: download sample
File size:1'309 bytes
First seen:2026-05-25 15:06:19 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:k42cLLhJwYgTjMTGqoLldp6XlH0RY5lTlqh9TAKUZFBKG4jvN1IlESjLBKuYjxf3:k4lL7wbTzBMXva4Z4vHo9y8hNu
TLSH T1DF213845696283C879712A64C37DA201B0D2526BA5D0FD58F7CCE042BF25657EB091F2
Magika html
Reporter johnk3r
Tags:acrobat-lat Downloader hta latam m-acrobat-lat

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.PUA.IA.Suspicious.32116915.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a14658a5d76862ef947b4bc
Tags:
autorun autoit emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6a14658678f38c56ac76c5b9/reports/b3a3dcaa-d877-4ecc-aab3-bb3392c8e8ae/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312
Verdict:
Malicious
File Type:
hta
First seen:
2026-05-25T08:32:00Z UTC
Last seen:
2026-05-25T23:58:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.JS.SLoad.sb HEUR:Trojan-Dropper.Script.Agent.gen HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.HTA.SLoad.gen Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1918227
Signature
Allocates memory in foreign processes
Clears Internet Explorer cache and cookies (likely to cover tracks)
Command shell drops VBS files
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1918227 Sample: XlMY6aTErT.hta Startdate: 25/05/2026 Architecture: WINDOWS Score: 100 75 m.acrobat.lat 2->75 77 www.mediafire.com 2->77 79 2 other IPs or domains 2->79 91 Suricata IDS alerts for network traffic 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Yara detected VBS Downloader Generic 2->95 97 6 other signatures 2->97 10 mshta.exe 1 15 2->10         started        14 buktpgsv.exe 2->14         started        signatures3 process4 dnsIp5 89 m.acrobat.lat 104.21.94.218, 443, 49694, 49695 CLOUDFLARENET-CloudflareIncUS Canada 10->89 117 Obfuscated command line found 10->117 119 Clears Internet Explorer cache and cookies (likely to cover tracks) 10->119 17 cmd.exe 1 10->17         started        19 cmd.exe 2 10->19         started        23 cmd.exe 10->23         started        27 7 other processes 10->27 73 C:\Users\user\AppData\Local\...\~tmp7608.tmp, PE32 14->73 dropped 121 Uses cmd line tools excessively to alter registry or file data 14->121 123 Allocates memory in foreign processes 14->123 125 Injects a PE file into a foreign processes 14->125 25 attrib.exe 14->25         started        file6 signatures7 process8 file9 29 wscript.exe 2 29 17->29         started        33 conhost.exe 17->33         started        61 C:\Users\PublicVWJGZ61.vbs, ASCII 19->61 dropped 99 Uses ping.exe to sleep 19->99 101 Command shell drops VBS files 19->101 103 Uses ping.exe to check the status of other devices and networks 19->103 35 conhost.exe 19->35         started        37 PING.EXE 23->37         started        40 conhost.exe 23->40         started        105 Clears Internet Explorer cache and cookies (likely to cover tracks) 27->105 42 rundll32.exe 9 46 27->42         started        44 rundll32.exe 27->44         started        46 rundll32.exe 27->46         started        48 7 other processes 27->48 signatures10 process11 dnsIp12 69 C:\Users\user\AppData\...\buktpgsv.exe (copy), PE32 29->69 dropped 71 C:\Users\user\AppData\Roaming\...\autoit.exe, PE32 29->71 dropped 127 System process connects to network (likely due to code injection or exploit) 29->127 129 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->129 131 Suspicious execution chain found 29->131 133 2 other signatures 29->133 50 buktpgsv.exe 29->50         started        55 rundll32.exe 29->55         started        87 127.0.0.1 unknown unknown 37->87 file13 signatures14 process15 dnsIp16 81 download2388.mediafire.com 199.91.155.129, 443, 49704 MEDIAFIRE-MediaFireLLCUS United States 50->81 83 www.mediafire.com 104.17.147.83, 443, 49702 CLOUDFLARENET-CloudflareIncUS Canada 50->83 85 api.cloudflare.com 104.19.192.29, 443, 49701, 49705 CLOUDFLARENET-CloudflareIncUS Canada 50->85 63 C:\Users\user\AppData\...\turbojpeg.dll, PE32 50->63 dropped 65 C:\Users\user\AppData\...\WebView2Loader.dll, PE32 50->65 dropped 67 C:\Users\user\AppData\Local\...\~tmp2335.tmp, PE32 50->67 dropped 107 Uses cmd line tools excessively to alter registry or file data 50->107 109 Contains functionality to inject code into remote processes 50->109 111 Writes to foreign memory regions 50->111 115 2 other signatures 50->115 57 attrib.exe 50->57         started        113 Clears Internet Explorer cache and cookies (likely to cover tracks) 55->113 59 rundll32.exe 55->59         started        file17 signatures18 process19
Score:
41%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/f516de5fe17a274fe7601ddf084674a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312
Threat name:
Document-HTML.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-05-25 13:11:24 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
3 of 24 (12.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tae5togruvowld5iaxdh5kj7pkree6kvr6gcnbzhufv6in7mmja._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery spyware
Link:
https://tria.ge/reports/260525-sg5c4se13x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fcc04ecdc68d2aeb2c7d402e33f549fbd51213caac7c6134393d0b5f21bf6312

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MalScript_Tricks
Create hunting rule
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
Padawan commented on 2026-05-25 15:11:14 UTC

k[.]upgrades[.]lat
m[.]acrobat[.]lat
central-da-logistica[.]com
berkelist[.]com
nf-edigital[.]com
nfe-eletronica[.]online
concludanotafiscal[.]site
invitesprincipal[.]com
aglobaconvite[.]com
b[.]upgrades[.]lat
documento[.]tjspbr[.]com
acess[.]portal-nota[.]sbs
notaprincipalrf[.]com
nfe-reemitir[.]online
teste[.]acrobat[.]lat
notafiscal202605[.]com
notaprincipalirs[.]com
mrosy[.]com
restricaofede[.]com
regularizarcadastral[.]lat
d4[.]upgrades[.]lat
verinfagora[.]com
suanotafiscal[.]com
m[.]upgrades[.]lat
d4[.]acrobatreader[.]online
doc3[.]acrobatreader[.]online
b[.]acrobatreader[.]online
m[.]acrobatreader[.]online
acrobatreader[.]online
portal-nota[.]sbs
logistic[.]tjspbr[.]com
d3[.]acrobat[.]lat
www-autofirma[.]top
b[.]acrobat[.]lat
k[.]acrobat[.]lat
factura[.]molonifacturacion[.]com
acrobat[.]lat
gerar-notafiscal[.]online
r[.]acrobat[.]lat
timedocoracaoseu[.]com
autofirma[.]docx-anexos[.]lat
suasnotasfiscais[.]com
regularizaeuro[.]portal-nota[.]sbs
min[.]docx-anexos[.]lat
portaldasfinancas[.]portal-nota[.]sbs
broks[.]docx-anexos[.]lat
sistema[.]portal-nota[.]sbs
d3[.]docx-anexos[.]lat
reemitir-nfe[.]online
regularizarcadastral[.]online
receitafazendagov[.]molonifacturacion[.]com
kay[.]docx-anexos[.]lat
tjspbr[.]com
finalizar-acordo[.]shop
dahuaji[.]com
nfe-segundavia[.]online
principaisonlinebr[.]com
aceitarconvitevip[.]com
dataalign[.]net
cattua[.]online
saasinforme[.]com
unitech-ge[.]com
cartaoaltusbb[.]com
contratosimples[.]digital
acesso-nfe[.]online
principalonlinebr[.]com
globalagendigital[.]com
gerar-notafiscal[.]com
teste[.]contratosimples[.]digital
conviteempesanet[.]com
pineapplepd[.]com
tadipexs[.]com
milofalo[.]lat
kay[.]www-autofirma[.]top