806fb7876b63ba89d2432cb831be01ba
Hash
- MD5: 806fb7876b63ba89d2432cb831be01ba
- SHA1: d3711cf96242f70968b71343c363062800443232
- SHA256: 4af2b83387e6ab3f4ec461150e1c6930c1d92ee4d5a7d8e39cd8a222127d9df1
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "4af2b83387e6ab3f4ec461150e1c6930c1d92ee4d5a7d8e39cd8a222127d9df1",
"sha3_384_hash": "65dd91a731522e6e3d7a514ac11c6eeb8824df000e061cde1e696a6b4a9b9cbbc34c7ac9d8dfaeb4d85da02394ff934b",
"sha1_hash": "d3711cf96242f70968b71343c363062800443232",
"md5_hash": "806fb7876b63ba89d2432cb831be01ba",
"first_seen": "2026-03-16 23:37:31",
"last_seen": null,
"file_name": "a.ps1",
"file_size": 1699,
"file_type_mime": "text/plain",
"file_type": "ps1",
"file_format": null,
"file_arch": null,
"reporter": "kirk",
"origin_country": "US",
"anonymous": 0,
"signature": null,
"imphash": null,
"tlsh": "T17231361CB3FAD99964922245DCF604DC2CAE007F627E51F6E69DC9A0102112F437EFDA",
"telfhash": null,
"gimphash": null,
"ssdeep": "48:HaiT9WhBoMahXwwuABdP50D4yVIsimAwlmf:HRT9SwuAB4Dr+YY",
"magika": "powershell",
"dhash_icon": null,
"trid": null,
"comment": null,
"archive_pw": null,
"tags": null,
"code_sign": null,
"delivery_method": "web_download",
"intelligence": {
"clamav": [
"SecuriteInfo.com.PUA.IA.Suspicious.35812123.UNOFFICIAL"
],
"downloads": "197",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "URLhaus",
"value": "https://urlhaus.abuse.ch/url/3797666/"
}
],
"ole_information": [],
"yara_rules": [
{
"rule_name": "detect_powershell",
"author": "daniyyell",
"description": "Detects suspicious PowerShell activity related to malware execution",
"reference": null
},
{
"rule_name": "Detect_PowerShell_Obfuscation",
"author": "daniyyell",
"description": "Detects obfuscated PowerShell commands commonly used in malicious scripts.",
"reference": null
},
{
"rule_name": "Detect_Remcos_RAT",
"author": "daniyyell",
"description": "Detects Remcos RAT payloads and commands",
"reference": null
},
{
"rule_name": "Disable_Defender",
"author": "iam-py-test",
"description": "Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen",
"reference": null
},
{
"rule_name": "Sus_CMD_Powershell_Usage",
"author": "XiAnzheng",
"description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)",
"reference": null
}
],
"vendor_intel": {
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/4af2b83387e6ab3f4ec461150e1c6930c1d92ee4d5a7d8e39cd8a222127d9df1/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"Triage": {
"malware_family": null,
"score": "10",
"link": "https://tria.ge/reports/260316-3mrz3sht6k/",
"tags": [
"discovery",
"execution"
],
"signatures": [
{
"signature": "Badlisted process makes network request",
"score": "8"
},
{
"signature": "Enumerates processes with tasklist",
"score": "5"
},
{
"signature": "Command and Scripting Interpreter: PowerShell",
"score": "3"
},
{
"signature": "Gathers network information",
"score": null
},
{
"signature": "Gathers system information",
"score": null
},
{
"signature": "Runs net.exe",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
}
],
"malware_config": [
{
"extraction": "dropper",
"family": null,
"c2": "https://nelark.icu/xftaswx/"
}
]
},
"ReversingLabs": {
"threat_name": null,
"status": "KNOWN",
"first_seen": "2026-03-16 15:12:13",
"scanner_count": "36",
"scanner_match": "5",
"scanner_percent": "13.89"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"Kaspersky": {
"verdict": "Malware",
"file_type": "ps1",
"first_seen": "",
"last_seen": "",
"hitscount": 0,
"report_link": "https://opentip.kaspersky.com/4af2b83387e6ab3f4ec461150e1c6930c1d92ee4d5a7d8e39cd8a222127d9df1/results?tab=lookup",
"detections": [
"UDS:DangerousObject.Multi.Generic",
"Trojan.PowerShell.DefenderDisabler.sb",
"Trojan.PowerShell.Agent.sb"
]
}
},
"comments": [
{
"id": "173795",
"date_added": "2026-03-16 23:38:07",
"twitter_handle": null,
"display_name": null,
"comment": "LNK dropper chain from nelark[.]icu (195.26.242.135, Contabo). Kill chain: 1.pdf.lnk -> bb.ps1 (beacon) -> bypass.bat (fodhelper UAC bypass) -> bpersist.ps1 (Defender exclusions persistence) -> scheduler-once.bat (schtask as SYSTEM every 5min) -> a.ps1 (C2 polling loop). C2 endpoints: bb.php, get-command.php, post_proc.php, index.php under /xftaswx/res/. Persistence: schtask Intel(R) Ethernet3 Connection 1219-LM. Victim ID: HKLM:\\Software\\Wireless\\uid"
}
]
}
]
}