MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20
SHA3-384 hash: b7c9b9f0f17215e794a22c983d9599a77d4fec78364a8c8144bccca744d627e26c515285e11c51ddb92bb03761cfe97d
SHA1 hash: 6bddecb990c7aedc3c92087d56d8ba244fcd5b96
MD5 hash: 01e5b2530d4cba34f91c8090d19c92db
humanhash: thirteen-ink-kitten-fruit
File name:1.ps1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'202 bytes
First seen:2025-05-09 15:53:46 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:4GBqVOR4PuTLT9wosA4SB47ibNPZVob9w06FqwONHTZSLSZNMSweU3SSewOy3SSu:pmufbFZVo76kxrusj+GURsNr
TLSH T12741BB85C584EFB2C681560A9948F915ED8F049BF2D98C01F79C1640DF211FD9A6CFDB
Magika powershell
Reporter abuse_ch
Tags:CoinMiner ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.DownLoader.1760.4981.3232.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681e26c8e16384d6a7035b3c
Tags:
autorun xmrig
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper miner persistence powershell xcopy
Link:
https://www.filescan.io/uploads/681e25220b64e174c41fe6a6/reports/f43ec4ff-b1ca-4a32-8ad8-782f7ae0f470/overview
Verdict:
Malicious
Labled as:
PWSH.Miner.D.Generic
Link:
https://www.hybrid-analysis.com/sample/38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685664
Signature
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Schedule system process
Sigma detected: Shedule hidden powershell script
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1685664 Sample: 1.ps1 Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 11 other signatures 2->52 7 powershell.exe 15 23 2->7         started        12 powershell.exe 5 2->12         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 36 78.153.140.66, 49681, 80 INTERLAN-ASRU Russian Federation 7->36 30 C:\Users\user\AppData\Local\...\sysupdate.exe, PE32+ 7->30 dropped 32 C:\Users\user\AppData\Local\...\config.json, JSON 7->32 dropped 54 Found strings related to Crypto-Mining 7->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 7->56 58 Powershell drops PE file 7->58 16 sysupdate.exe 1 7->16         started        20 conhost.exe 7->20         started        22 schtasks.exe 1 7->22         started        24 xcopy.exe 1 7->24         started        26 conhost.exe 12->26         started        38 127.0.0.1 unknown unknown 14->38 file5 signatures6 process7 dnsIp8 34 45.136.244.146, 3333 ASBAXETRU Russian Federation 16->34 40 Antivirus detection for dropped file 16->40 42 Multi AV Scanner detection for dropped file 16->42 44 Found strings related to Crypto-Mining 16->44 28 conhost.exe 16->28         started        signatures9 process10
Score:
19%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20/
Threat name:
Script-PowerShell.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2025-05-09 15:11:30 UTC
File Type:
Text (PowerShell)
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hacyuanzvde3a52gl7wrxmwdrqzwesmw5vvbwyjb4mpnhkelluqa._file
Verdict:
malicious
Label(s):
coinminer
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner
Link:
https://tria.ge/reports/250509-tb9w3shj9x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
XMRig Miner payload
Xmrig family
xmrig
Malware Config
Dropper Extraction:
http://78.153.140.66/xmrig.exe
http://78.153.140.66/config.json
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

PowerShell (PS) ps1 38058a01b9a8c9b077465fed1bb2c38c33624996ed6a1b6121e31ed3a88b5d20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3539649/
  
Delivery method
Distributed via web download

Comments