a3363e0c22c0356fdbcdc37f502bbcde
Hash
- MD5: a3363e0c22c0356fdbcdc37f502bbcde
- SHA1: 23f9756d593354111beba4b2ff2ebf5bd8154bee
- SHA256: 02d9468af1e2a4be19f3a31549b808e6fd327922eb68d96706122ef8653c9d7a
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "02d9468af1e2a4be19f3a31549b808e6fd327922eb68d96706122ef8653c9d7a",
"sha3_384_hash": "5b4567c2dd0ed385ee4f3a716f0103f67ba5802bec0763067bb2f0857dde76b23a846869a5125e559a950fffbf700885",
"sha1_hash": "23f9756d593354111beba4b2ff2ebf5bd8154bee",
"md5_hash": "a3363e0c22c0356fdbcdc37f502bbcde",
"first_seen": "2026-03-31 05:41:09",
"last_seen": null,
"file_name": "firefox.ps1",
"file_size": 5136,
"file_type_mime": "text/plain",
"file_type": "ps1",
"file_format": null,
"file_arch": null,
"reporter": "KodaDr",
"origin_country": "RU",
"anonymous": 0,
"signature": "Kimsuky",
"imphash": null,
"tlsh": "T1E2B1E20177E90148F6F32F14AABE2560486BBE9A9E32CE5D06240C8D0A71B549CB6F36",
"telfhash": null,
"gimphash": null,
"ssdeep": "96:FmuK4rHJWNj9paIWh061SOONyWUOO9Xes6G/nbzHJhAHrqWSWzHJ5I+E:FhK4zJCfuh0DOONyWUOO8b0brJSL5rJk",
"magika": "powershell",
"dhash_icon": null,
"trid": [
"66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)",
"33.3% (.MP3) MP3 audio (1000/1)"
],
"comment": null,
"archive_pw": null,
"tags": [
"Kimsuky",
"PowerShell",
"ps1"
],
"code_sign": null,
"delivery_method": null,
"intelligence": {
"clamav": null,
"downloads": "119",
"uploads": "1",
"mail": null
},
"file_information": null,
"ole_information": [],
"yara_rules": [
{
"rule_name": "detect_powershell",
"author": "daniyyell",
"description": "Detects suspicious PowerShell activity related to malware execution",
"reference": null
},
{
"rule_name": "Sus_CMD_Powershell_Usage",
"author": "XiAnzheng",
"description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)",
"reference": null
}
],
"vendor_intel": {
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/02d9468af1e2a4be19f3a31549b808e6fd327922eb68d96706122ef8653c9d7a/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"Triage": {
"malware_family": null,
"score": "8",
"link": "https://tria.ge/reports/260331-gdhjdse14r/",
"tags": [
"discovery",
"execution"
],
"signatures": [
{
"signature": "Badlisted process makes network request",
"score": "8"
},
{
"signature": "Command and Scripting Interpreter: PowerShell",
"score": "8"
},
{
"signature": "Deletes itself",
"score": "7"
},
{
"signature": "Contacts third-party web service commonly abused for C2",
"score": "6"
},
{
"signature": "Drops file in Program Files directory",
"score": "4"
},
{
"signature": "Drops file in Windows directory",
"score": "4"
},
{
"signature": "Browser Information Discovery",
"score": "3"
},
{
"signature": "System Time Discovery",
"score": "3"
},
{
"signature": "Checks processor information in registry",
"score": null
},
{
"signature": "Enumerates system info in registry",
"score": null
},
{
"signature": "Modifies data under HKEY_USERS",
"score": null
},
{
"signature": "Modifies registry class",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of FindShellTrayWindow",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
}
],
"malware_config": []
},
"ReversingLabs": {
"threat_name": "Win32.Trojan.Qwexlafiba",
"status": "MALICIOUS",
"first_seen": "2026-03-30 23:43:01",
"scanner_count": "24",
"scanner_match": "7",
"scanner_percent": "29.17"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"FileScan-IO": {
"verdict": "MALICIOUS",
"threatlevel": "1.0",
"confidence": "1.0",
"report_link": "https://www.filescan.io/uploads/69cb5e78e2df9aa488bf40ed/reports/35283ce2-1e11-4088-af1a-00403d56b129/overview"
},
"Kaspersky": {
"verdict": "Malware",
"file_type": "ps1",
"first_seen": "2026-03-31T02:57:00Z",
"last_seen": "2026-03-31T06:00:00Z",
"hitscount": 100,
"report_link": "https://opentip.kaspersky.com/02d9468af1e2a4be19f3a31549b808e6fd327922eb68d96706122ef8653c9d7a/results?tab=lookup",
"detections": [
"HEUR:Trojan.Script.Generic",
"Trojan-Downloader.VBS.Agent.bra",
"PDM:Trojan.Win32.Generic",
"Trojan.PowerShell.DefenderDisabler.sb",
"HEUR:Trojan-Downloader.PowerShell.Generic",
"HEUR:Backdoor.PowerShell.Agent.gen"
]
}
},
"comments": null
}
]
}