552ca91696fedd387e1ea47f50f18344
Hash
- MD5: 552ca91696fedd387e1ea47f50f18344
- SHA1: ae92d30836256fe3e3aff4102c726dde5d4a9f36
- SHA256: d0e84b6bf4d810da9e177a54c397033b310864ede10eb9f9b7e6b2672daf23f5
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "d0e84b6bf4d810da9e177a54c397033b310864ede10eb9f9b7e6b2672daf23f5",
"sha3_384_hash": "d778207fe4d7aaab2df876867de4eb02ebf2581b0f1561be024057a262cc4f2dabfcf2e05e2fdcb63b783aebac275852",
"sha1_hash": "ae92d30836256fe3e3aff4102c726dde5d4a9f36",
"md5_hash": "552ca91696fedd387e1ea47f50f18344",
"first_seen": "2026-03-16 23:37:28",
"last_seen": null,
"file_name": "scheduler-once.bat",
"file_size": 895,
"file_type_mime": "text/x-msdos-batch",
"file_type": "bat",
"file_format": null,
"file_arch": null,
"reporter": "kirk",
"origin_country": "US",
"anonymous": 0,
"signature": null,
"imphash": null,
"tlsh": "T106115CBBB51AEC494A4FF890599B0923AC76E8A3536611C68075C6305CFF275E3373C6",
"telfhash": null,
"gimphash": null,
"ssdeep": "24:Nb18JkILHlc5HlcSLhUIlcLFY7JlcVIIlcL23t/2cTerY77lc4n:NaqhkKELYJqVAL2VTeOu4n",
"magika": "batch",
"dhash_icon": null,
"trid": null,
"comment": null,
"archive_pw": null,
"tags": null,
"code_sign": null,
"delivery_method": "web_download",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Heur.BZC.PZQ.Boxter.794.9E871368.18888.31503.UNOFFICIAL"
],
"downloads": "184",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "cape",
"value": "https://www.capesandbox.com/analysis/57691/"
},
{
"context": "URLhaus",
"value": "https://urlhaus.abuse.ch/url/3797653/"
}
],
"ole_information": [],
"yara_rules": [
{
"rule_name": "detect_powershell",
"author": "daniyyell",
"description": "Detects suspicious PowerShell activity related to malware execution",
"reference": null
},
{
"rule_name": "Detect_PowerShell_Obfuscation",
"author": "daniyyell",
"description": "Detects obfuscated PowerShell commands commonly used in malicious scripts.",
"reference": null
},
{
"rule_name": "FreddyBearDropper",
"author": "Dwarozh Hoshiar",
"description": "Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.",
"reference": null
},
{
"rule_name": "Suspicious_Process",
"author": "Security Research Team",
"description": "Suspicious process creation",
"reference": null
},
{
"rule_name": "Sus_CMD_Powershell_Usage",
"author": "XiAnzheng",
"description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)",
"reference": null
},
{
"rule_name": "WIN_FileFix_Detection",
"author": "dogsafetyforeverone",
"description": "Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths",
"reference": "FileFix social engineering with PowerShell and PHP commands"
}
],
"vendor_intel": {
"ANY.RUN": [
{
"malware_family": null,
"verdict": "Malicious activity",
"file_name": "bpersist.ps1",
"date": "2026-03-16 23:32:13",
"analysis_url": "https://app.any.run/tasks/6f19877a-bcba-43ca-8324-182c6647a3f8",
"tags": [
"powershell",
"auto-sch",
"anti-evasion"
]
}
],
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/d0e84b6bf4d810da9e177a54c397033b310864ede10eb9f9b7e6b2672daf23f5/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"vxCube": {
"verdict": "malware2",
"maliciousness": "100",
"behaviour": [
{
"threat_level": "malicious",
"rule": "Adding an exclusion to Microsoft Defender"
},
{
"threat_level": "malicious",
"rule": "Enabling autorun by creating a file"
},
{
"threat_level": "neutral",
"rule": "Launching a process"
},
{
"threat_level": "neutral",
"rule": "Running batch commands"
},
{
"threat_level": "neutral",
"rule": "Forced system process termination"
},
{
"threat_level": "neutral",
"rule": "Creating a file in the Windows subdirectories"
},
{
"threat_level": "neutral",
"rule": "DNS request"
},
{
"threat_level": "neutral",
"rule": "Connection attempt"
},
{
"threat_level": "neutral",
"rule": "Sending an HTTP GET request"
},
{
"threat_level": "neutral",
"rule": "Sending a custom TCP request"
},
{
"threat_level": "neutral",
"rule": "Creating a file in the system32 subdirectories"
},
{
"threat_level": "neutral",
"rule": "Using the Windows Management Instrumentation requests"
},
{
"threat_level": "neutral",
"rule": "Launching the process to interact with network services"
}
]
},
"CAPE": {
"detection": null,
"link": "https://www.capesandbox.com/analysis/57691/"
},
"Triage": {
"malware_family": null,
"score": "10",
"link": "https://tria.ge/reports/260316-3mrz3sht6j/",
"tags": [
"defense_evasion",
"discovery",
"execution",
"persistence"
],
"signatures": [
{
"signature": "Badlisted process makes network request",
"score": "8"
},
{
"signature": "Command and Scripting Interpreter: PowerShell",
"score": "6"
},
{
"signature": "Obfuscated Files or Information: Command Obfuscation",
"score": "6"
},
{
"signature": "Drops file in System32 directory",
"score": "5"
},
{
"signature": "Enumerates processes with tasklist",
"score": "5"
},
{
"signature": "Gathers network information",
"score": null
},
{
"signature": "Gathers system information",
"score": null
},
{
"signature": "Modifies data under HKEY_USERS",
"score": null
},
{
"signature": "Runs net.exe",
"score": null
},
{
"signature": "Scheduled Task/Job: Scheduled Task",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
},
{
"signature": "Uses Task Scheduler COM API",
"score": null
}
],
"malware_config": [
{
"extraction": "dropper",
"family": null,
"c2": "http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1"
}
]
},
"ReversingLabs": {
"threat_name": null,
"status": "KNOWN",
"first_seen": "2026-03-16 03:21:08",
"scanner_count": "36",
"scanner_match": "3",
"scanner_percent": "8.33"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"Kaspersky": {
"verdict": "Malware",
"file_type": "text",
"first_seen": "",
"last_seen": "",
"hitscount": 0,
"report_link": "https://opentip.kaspersky.com/d0e84b6bf4d810da9e177a54c397033b310864ede10eb9f9b7e6b2672daf23f5/results?tab=lookup",
"detections": [
"UDS:DangerousObject.Multi.Generic"
]
}
},
"comments": [
{
"id": "173794",
"date_added": "2026-03-16 23:38:05",
"twitter_handle": null,
"display_name": null,
"comment": "LNK dropper chain from nelark[.]icu (195.26.242.135, Contabo). Kill chain: 1.pdf.lnk -> bb.ps1 (beacon) -> bypass.bat (fodhelper UAC bypass) -> bpersist.ps1 (Defender exclusions persistence) -> scheduler-once.bat (schtask as SYSTEM every 5min) -> a.ps1 (C2 polling loop). C2 endpoints: bb.php, get-command.php, post_proc.php, index.php under /xftaswx/res/. Persistence: schtask Intel(R) Ethernet3 Connection 1219-LM. Victim ID: HKLM:\\Software\\Wireless\\uid"
}
]
}
]
}