MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PXRECVOWEIWOEI


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2
SHA3-384 hash: b6bbc6707b33a5c360ac7dfc0a9af1601ef14a15de29c9330a0bf3688a0c9ee585d8f5e2ede19795006712445e54ff99
SHA1 hash: 1d59bf8c488eb6f43c7b5e7164f82b164e39ec10
MD5 hash: 2f32e9e485b127c1bdcaf7984cc7485a
humanhash: speaker-colorado-iowa-lamp
File name:PO_N0_JKPO25040107.js
Download: download sample
Signature PXRECVOWEIWOEI
Create hunting rule
File size:224'824 bytes
First seen:2025-06-19 12:23:40 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:XSzZKoA8ADG4CHfseLVtCFRrNGDNLUJKKKKcKKPuQ/w4WCicSntt/CcA8VRyfEA2:XSzZKoA8ADG4CHfseLVtCFRrNGDNLUJb
Threatray 172 similar samples on MalwareBazaar
TLSH T1AF2420076F1350A417F7D25EBA59C2C0E42D3737B45241E739FE9604AF3288496BAEE8
Magika javascript
Reporter JAMESWT_WT
Tags:js pub-a06eb79f0ebe4a6999bcc71a2227d8e3-r2-dev PXRECVOWEIWOEI

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.13285.308.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685401a07d221bc0766c683d
Tags:
obfuscate cryxos xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/6854025f66c4b5c0b99afd6f/reports/1f19e20c-3970-42c5-894f-2078352990e6/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2
Result
Threat name:
PXRECVOWEIWOEI Stealer, Telegram Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718525
Signature
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Javascript file is likely language aware (will only work on specific systems)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Capture Wi-Fi password
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Reflective Assembly Load
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PXRECVOWEIWOEI Stealer
Yara detected Telegram RAT
Yara detected Telegram Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718525 Sample: PO_N0_JKPO25040107.js Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 38 pub-a06eb79f0ebe4a6999bcc71a2227d8e3.r2.dev 2->38 40 9 other IPs or domains 2->40 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 20 other signatures 2->70 10 wscript.exe 1 1 2->10         started        13 msiexec.exe 2->13         started        signatures3 68 Uses the Telegram API (likely for C&C communication) 36->68 process4 signatures5 84 JScript performs obfuscated calls to suspicious functions 10->84 86 Suspicious powershell command line found 10->86 88 Wscript starts Powershell (via cmd or directly) 10->88 90 3 other signatures 10->90 15 powershell.exe 14 16 10->15         started        process6 dnsIp7 48 pub-a06eb79f0ebe4a6999bcc71a2227d8e3.r2.dev 162.159.140.237, 443, 49696 CLOUDFLARENETUS United States 15->48 50 archive.org 207.241.224.2, 443, 49692 INTERNET-ARCHIVEUS United States 15->50 52 dn721404.ca.archive.org 204.62.246.237, 443, 49693 COGENT-174US United States 15->52 54 Found Tor onion address 15->54 56 Writes to foreign memory regions 15->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 15->58 60 Injects a PE file into a foreign processes 15->60 19 MSBuild.exe 15 38 15->19         started        23 conhost.exe 15->23         started        signatures8 process9 dnsIp10 42 ip-api.com 208.95.112.1, 49698, 80 TUT-ASUS United States 19->42 44 api.telegram.org 149.154.167.220, 443, 49701 TELEGRAMRU United Kingdom 19->44 46 icanhazip.com 104.16.185.241, 49697, 80 CLOUDFLARENETUS United States 19->46 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->72 74 Tries to steal Mail credentials (via file / registry access) 19->74 76 Found many strings related to Crypto-Wallets (likely being stolen) 19->76 78 4 other signatures 19->78 25 cmd.exe 1 19->25         started        signatures11 process12 signatures13 80 Uses netsh to modify the Windows network and firewall settings 25->80 82 Tries to harvest and steal WLAN passwords 25->82 28 netsh.exe 2 25->28         started        30 conhost.exe 25->30         started        32 findstr.exe 1 25->32         started        34 chcp.com 1 25->34         started        process14
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2/
Threat name:
Script-JS.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 03:51:00 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wq5izegdlawa4tal4vdsdtrbmmdkpfopgh5b72bwz5jkvx6etra._file
Verdict:
malicious
Label(s):
0bj3ctivitystealer
Create hunting rule
Similar samples:
098231c653d5968cadf74d3b7118d170615385dd0278035dbb4001204ac338ab
PXRECVOWEIWOEI
258168f70a3f2f1a7ce46dd548c13a8b4d822a14644da7b0dbc77118684eee3f
PXRECVOWEIWOEI
2a6745ebfc8f6fe258dc62ab69457a53d97802336350ad54f723d232c2ca58c3
PXRECVOWEIWOEI
3a33f0319f48278d3f16b75a7f66ce52d72ad79a65a81fbed386abb8a2b47329
PXRECVOWEIWOEI
3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b
PXRECVOWEIWOEI
42ce713a2f7b108238dcfd2f59c979f20af0b3109f3e5aaab6b53f0d84945e48
PXRECVOWEIWOEI
4dcc635b19743b5ebc21490d09b0b11031114db7d5fe39f401020e99937c43c7
PXRECVOWEIWOEI
6e3b7e91cfd74e8c92b717a46ea27d3c0fdccc75be62bb5c2d8bc58c8acdd9bf
PXRECVOWEIWOEI
bc2e2769bf88070ca32bc101078fa1bba62948cd3623476fc1cdb79f31fe443e
PXRECVOWEIWOEI
error
PXRECVOWEIWOEI
f6aade6969aac4658f72113e3247597ad63453fd2b7b4ad374b8cb2e7898cda5
PXRECVOWEIWOEI
+ 162 additional samples on MalwareBazaar
Result
Malware family:
obj3ctivity
Create hunting rule
Score:
  10/10
Tags:
family:obj3ctivity collection discovery execution persistence privilege_escalation stealer
Link:
https://tria.ge/reports/250619-pmd7bsvlt8/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects Obj3ctivity Stage1
Obj3ctivity family
Obj3ctivity, PXRECVOWEIWOEI
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PXRECVOWEIWOEI

Java Script (JS) js fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3568185/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3568191/

Comments