2689f58b803364bbfba2edb423a3b572
Hash
- MD5: 2689f58b803364bbfba2edb423a3b572
- SHA1: 8466497f417e423d3c29fa42fedc099db30afec7
- SHA256: e8879c41e383df2be62e3b5c6cb4c92f53a886913eb66d8f60ac071020d633dd
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "e8879c41e383df2be62e3b5c6cb4c92f53a886913eb66d8f60ac071020d633dd",
"sha3_384_hash": "4fc04f50772bf321b81a59be616796711da351096a0eae20049c02c5ab11ab98a953c0de8c9904383bf0d12ae53d3979",
"sha1_hash": "8466497f417e423d3c29fa42fedc099db30afec7",
"md5_hash": "2689f58b803364bbfba2edb423a3b572",
"first_seen": "2026-03-16 23:37:22",
"last_seen": null,
"file_name": "bpersist.ps1",
"file_size": 4298,
"file_type_mime": "text/plain",
"file_type": "ps1",
"file_format": null,
"file_arch": null,
"reporter": "kirk",
"origin_country": "US",
"anonymous": 0,
"signature": null,
"imphash": null,
"tlsh": "T1B691A38247109A5E6C611319DCF9C26768FF5089377A4918959CCCD0247836FCFA9EF5",
"telfhash": null,
"gimphash": null,
"ssdeep": "96:HRT9WEF8XwEKxZU2GunaIYVktMcXz0kRDtMPq02CgUYbSlavzUZp:xJWtr2XnafVwXlrzUZp",
"magika": "powershell",
"dhash_icon": null,
"trid": null,
"comment": null,
"archive_pw": null,
"tags": null,
"code_sign": null,
"delivery_method": "web_download",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Script.SNH-gen.91138883.UNOFFICIAL"
],
"downloads": "194",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "URLhaus",
"value": "https://urlhaus.abuse.ch/url/3797651/"
}
],
"ole_information": [],
"yara_rules": [
{
"rule_name": "detect_powershell",
"author": "daniyyell",
"description": "Detects suspicious PowerShell activity related to malware execution",
"reference": null
},
{
"rule_name": "Detect_PowerShell_Obfuscation",
"author": "daniyyell",
"description": "Detects obfuscated PowerShell commands commonly used in malicious scripts.",
"reference": null
},
{
"rule_name": "Detect_Remcos_RAT",
"author": "daniyyell",
"description": "Detects Remcos RAT payloads and commands",
"reference": null
},
{
"rule_name": "Disable_Defender",
"author": "iam-py-test",
"description": "Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen",
"reference": null
},
{
"rule_name": "Sus_CMD_Powershell_Usage",
"author": "XiAnzheng",
"description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)",
"reference": null
}
],
"vendor_intel": {
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/e8879c41e383df2be62e3b5c6cb4c92f53a886913eb66d8f60ac071020d633dd/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"Triage": {
"malware_family": null,
"score": "10",
"link": "https://tria.ge/reports/260316-3mrpbaht5q/",
"tags": [
"defense_evasion",
"discovery",
"execution",
"persistence"
],
"signatures": [
{
"signature": "Badlisted process makes network request",
"score": "8"
},
{
"signature": "Command and Scripting Interpreter: PowerShell",
"score": "8"
},
{
"signature": "Obfuscated Files or Information: Command Obfuscation",
"score": "6"
},
{
"signature": "Drops file in System32 directory",
"score": "5"
},
{
"signature": "Enumerates processes with tasklist",
"score": "5"
},
{
"signature": "Gathers network information",
"score": null
},
{
"signature": "Gathers system information",
"score": null
},
{
"signature": "Modifies data under HKEY_USERS",
"score": null
},
{
"signature": "Modifies registry class",
"score": null
},
{
"signature": "Runs net.exe",
"score": null
},
{
"signature": "Scheduled Task/Job: Scheduled Task",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
},
{
"signature": "Uses Task Scheduler COM API",
"score": null
}
],
"malware_config": [
{
"extraction": "dropper",
"family": null,
"c2": "https://nelark.icu/xftaswx/"
},
{
"extraction": "dropper",
"family": null,
"c2": "http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1"
}
]
},
"ReversingLabs": {
"threat_name": "Win32.Trojan.Generic",
"status": "SUSPICIOUS",
"first_seen": "2026-03-16 15:12:13",
"scanner_count": "36",
"scanner_match": "2",
"scanner_percent": "5.56"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"Kaspersky": {
"verdict": "Malware",
"file_type": "ps1",
"first_seen": "",
"last_seen": "",
"hitscount": 0,
"report_link": "https://opentip.kaspersky.com/e8879c41e383df2be62e3b5c6cb4c92f53a886913eb66d8f60ac071020d633dd/results?tab=lookup",
"detections": [
"UDS:DangerousObject.Multi.Generic",
"Trojan-Downloader.Win32.PsDownload.sb",
"Trojan.Win32.Agent.sb",
"Trojan-Dropper.Win32.Agent.sb",
"HEUR:Trojan.Multi.Powedon.c",
"HEUR:Trojan.Multi.Powedon.a",
"Trojan-Downloader.Agent.HTTP.C&C",
"Trojan.Win32.PowerShell.b",
"PDM:Trojan.Win32.Generic",
"Trojan.PowerShell.DefenderDisabler.sb",
"Trojan.PowerShell.Agent.sb"
]
}
},
"comments": [
{
"id": "173792",
"date_added": "2026-03-16 23:38:01",
"twitter_handle": null,
"display_name": null,
"comment": "LNK dropper chain from nelark[.]icu (195.26.242.135, Contabo). Kill chain: 1.pdf.lnk -> bb.ps1 (beacon) -> bypass.bat (fodhelper UAC bypass) -> bpersist.ps1 (Defender exclusions persistence) -> scheduler-once.bat (schtask as SYSTEM every 5min) -> a.ps1 (C2 polling loop). C2 endpoints: bb.php, get-command.php, post_proc.php, index.php under /xftaswx/res/. Persistence: schtask Intel(R) Ethernet3 Connection 1219-LM. Victim ID: HKLM:\\Software\\Wireless\\uid"
}
]
}
]
}