c57a8b40d2ca402656ff3d778f42708c
Hash
- MD5: c57a8b40d2ca402656ff3d778f42708c
- SHA1: b21513438ba722758d6438f3872962a3ff01289d
- SHA256: 60aa052dc1cad8a9f39983ffd6a21c97b43f3b9c8925ed1bac8113feaa07bf44
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "60aa052dc1cad8a9f39983ffd6a21c97b43f3b9c8925ed1bac8113feaa07bf44",
"sha3_384_hash": "955f392fe57dbfc665aece3276742eeaeb2d71c426e8977dcd35eababd0b2136732089106383f8f9a74b0be5bf250bd3",
"sha1_hash": "b21513438ba722758d6438f3872962a3ff01289d",
"md5_hash": "c57a8b40d2ca402656ff3d778f42708c",
"first_seen": "2026-03-16 23:37:19",
"last_seen": null,
"file_name": "bb.ps1",
"file_size": 2613,
"file_type_mime": "text/plain",
"file_type": "ps1",
"file_format": null,
"file_arch": null,
"reporter": "kirk",
"origin_country": "US",
"anonymous": 0,
"signature": null,
"imphash": null,
"tlsh": "T129518588676598AC3C802352FCFE446628EE001A777D1495D4EE8CE0903D3AF87729F2",
"telfhash": null,
"gimphash": null,
"ssdeep": "48:faiT9KVXwwuABXqED4yV49ayLaUP+WuxeaMS99wktNT0AZqqYAr:fRT9hwuABXnDr/ZU2WuxeaMY9wktNnZV",
"magika": "powershell",
"dhash_icon": null,
"trid": null,
"comment": null,
"archive_pw": null,
"tags": null,
"code_sign": null,
"delivery_method": "web_download",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Script.SNH-gen.85636447.UNOFFICIAL"
],
"downloads": "189",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "URLhaus",
"value": "https://urlhaus.abuse.ch/url/3797652/"
}
],
"ole_information": [],
"yara_rules": [
{
"rule_name": "detect_powershell",
"author": "daniyyell",
"description": "Detects suspicious PowerShell activity related to malware execution",
"reference": null
},
{
"rule_name": "Detect_Remcos_RAT",
"author": "daniyyell",
"description": "Detects Remcos RAT payloads and commands",
"reference": null
},
{
"rule_name": "Sus_CMD_Powershell_Usage",
"author": "XiAnzheng",
"description": "May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)",
"reference": null
}
],
"vendor_intel": {
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/60aa052dc1cad8a9f39983ffd6a21c97b43f3b9c8925ed1bac8113feaa07bf44/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"Triage": {
"malware_family": null,
"score": "10",
"link": "https://tria.ge/reports/260316-3mrpbaht5p/",
"tags": [
"defense_evasion",
"discovery",
"execution",
"persistence"
],
"signatures": [
{
"signature": "Badlisted process makes network request",
"score": "8"
},
{
"signature": "Command and Scripting Interpreter: PowerShell",
"score": "8"
},
{
"signature": "Obfuscated Files or Information: Command Obfuscation",
"score": "6"
},
{
"signature": "Drops file in System32 directory",
"score": "5"
},
{
"signature": "Enumerates processes with tasklist",
"score": "5"
},
{
"signature": "Gathers network information",
"score": null
},
{
"signature": "Gathers system information",
"score": null
},
{
"signature": "Modifies data under HKEY_USERS",
"score": null
},
{
"signature": "Modifies registry class",
"score": null
},
{
"signature": "Runs net.exe",
"score": null
},
{
"signature": "Scheduled Task/Job: Scheduled Task",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
},
{
"signature": "Uses Task Scheduler COM API",
"score": null
}
],
"malware_config": [
{
"extraction": "dropper",
"family": null,
"c2": "https://nelark.icu/xftaswx/"
},
{
"extraction": "dropper",
"family": null,
"c2": "http://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1"
}
]
},
"ReversingLabs": {
"threat_name": "Script.Trojan.Heuristic",
"status": "MALICIOUS",
"first_seen": "2026-03-16 12:33:00",
"scanner_count": "36",
"scanner_match": "8",
"scanner_percent": "22.22"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"Kaspersky": {
"verdict": "Malware",
"file_type": "ps1",
"first_seen": "",
"last_seen": "",
"hitscount": 0,
"report_link": "https://opentip.kaspersky.com/60aa052dc1cad8a9f39983ffd6a21c97b43f3b9c8925ed1bac8113feaa07bf44/results?tab=lookup",
"detections": [
"Trojan-Downloader.Win32.PsDownload.sb",
"Trojan-Downloader.Agent.HTTP.C&C",
"Trojan.PowerShell.DefenderDisabler.sb",
"PDM:Trojan.Win32.Generic",
"HEUR:Trojan.Multi.Powedon.c",
"HEUR:Trojan.Multi.Powedon.a",
"Trojan-Dropper.Win32.Agent.sb"
]
}
},
"comments": [
{
"id": "173791",
"date_added": "2026-03-16 23:38:00",
"twitter_handle": null,
"display_name": null,
"comment": "LNK dropper chain from nelark[.]icu (195.26.242.135, Contabo). Kill chain: 1.pdf.lnk -> bb.ps1 (beacon) -> bypass.bat (fodhelper UAC bypass) -> bpersist.ps1 (Defender exclusions persistence) -> scheduler-once.bat (schtask as SYSTEM every 5min) -> a.ps1 (C2 polling loop). C2 endpoints: bb.php, get-command.php, post_proc.php, index.php under /xftaswx/res/. Persistence: schtask Intel(R) Ethernet3 Connection 1219-LM. Victim ID: HKLM:\\Software\\Wireless\\uid"
}
]
}
]
}