MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad
SHA3-384 hash: 6949a128f02085bf30b77b5f12bc574623533297bf7c4a9fb5abad3c78d68633bb035e7d108e0693265267602512810b
SHA1 hash: 14f0b537e6957d390c049e9bb35451a5945719e5
MD5 hash: a32b6c34700aa583beba68aba55d1add
humanhash: emma-green-eighteen-tennessee
File name:svc_8xmlhr.ps1
Download: download sample
File size:18'987 bytes
First seen:2026-06-09 17:23:37 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:0Jy5Ep706FhwXpYylPi923084ajCD8MWsqvJnDT23NgumlHqW8AAb4fmV/lreHEU:0d1xFLKq98VZz28Vh2KEVm
TLSH T17382B729F406206186B3B77ACE975008FB37002B450B529CBA7CD2947F716F9C7A5FA9
Magika powershell
Reporter smica83
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a284c5034eaf30d8ce45711
Tags:
shellcode vmdetect dropper spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto opendir
Link:
https://www.filescan.io/uploads/6a284c4a1f652d686573078e/reports/6e645581-acb1-4c8d-bfce-ec72298eae86/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad
Verdict:
Clean
File Type:
unix shell
First seen:
2026-06-09T14:46:00Z UTC
Last seen:
2026-06-10T13:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1925332
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Tor Client/Browser Execution
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1925332 Sample: svc_8xmlhr.ps1 Startdate: 09/06/2026 Architecture: WINDOWS Score: 92 66 registry.npmmirror.com.w.cdngslb.com 2->66 68 registry.npmmirror.com 2->68 70 5 other IPs or domains 2->70 88 Yara detected Powershell download and execute 2->88 90 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->90 92 AI detected malicious Powershell script 2->92 94 4 other signatures 2->94 9 powershell.exe 16 1006 2->9         started        14 conhost.exe 2->14         started        16 conhost.exe 2->16         started        18 conhost.exe 2->18         started        signatures3 process4 dnsIp5 78 dist.torproject.org 204.8.99.146, 443, 49725 QUINTEX-QuintexAllianceConsultingUS United States 9->78 80 archive-01.torproject.org 159.69.63.226, 443, 49726 HETZNER-ASDE Germany 9->80 82 2 other IPs or domains 9->82 52 C:\Users\user\runtime\tor\torrc, Unknown 9->52 dropped 54 C:\Users\user\AppData\Local\Temp\...\node.exe, Unknown 9->54 dropped 56 C:\Users\user\AppData\...\install_tools.bat, Unknown 9->56 dropped 100 Found Tor onion address 9->100 102 Creates autostart registry keys with suspicious values (likely registry only malware) 9->102 104 Loading BitLocker PowerShell Module 9->104 106 Powershell drops PE file 9->106 20 tor.exe 13 9->20         started        24 conhost.exe 9->24         started        26 tar.exe 20 9->26         started        29 node.exe 2 9->29         started        31 powershell.exe 14->31         started        33 powershell.exe 16->33         started        file6 signatures7 process8 dnsIp9 72 64.65.63.64 SAEOL-1-ASN-1stAmendmentEncryptedOpennessLLCUS United States 20->72 74 96.9.98.157, 443, 49740 SAEOL-1-ASN-1stAmendmentEncryptedOpennessLLCUS United States 20->74 76 8 other IPs or domains 20->76 96 Found Tor onion address 20->96 35 conhost.exe 20->35         started        98 Bypasses PowerShell execution policy 24->98 58 C:\Users\user\runtime\tor\tor\tor.exe, PE32+ 26->58 dropped 60 C:\Users\user\runtime\tor\...\tor-gencert.exe, PE32+ 26->60 dropped 62 C:\Users\user\runtime\tor\...\lyrebird.exe, PE32+ 26->62 dropped 64 C:\Users\user\runtime\...\conjure-client.exe, PE32+ 26->64 dropped 37 cmd.exe 29->37         started        39 cmd.exe 29->39         started        41 conhost.exe 29->41         started        file10 signatures11 process12 process13 43 node.exe 37->43         started        46 conhost.exe 37->46         started        48 node.exe 39->48         started        50 conhost.exe 39->50         started        dnsIp14 84 registry.npmjs.org 104.16.6.34 CLOUDFLARENET-CloudflareIncUS Canada 43->84 86 registry.npmmirror.com.w.cdngslb.com 155.102.176.87 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 48->86
Score:
54%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-08 17:38:21 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4ri4fjm6h7yeuzfq34r227bzc7r7364k4nqt2vesu6afzj2u2wq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260609-vyxqpsez6v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27228e152cf1ff82532586f91d6be1c8bf1fefdc571b09eaa4953c02e53aa6ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments