MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611
SHA3-384 hash: 0b59aebe516227ae11e06d6b9e5db56f23f721c14a1de12102835053ea003b741e725f4b1b18f196b10d201c6c777dc4
SHA1 hash: 4214696a2c7657296d72c3ecf430b741152df52e
MD5 hash: b2c85e12c003bfa1e6a725071dbe1a72
humanhash: summer-foxtrot-missouri-golf
File name:c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611.ps1
Download: download sample
File size:575 bytes
First seen:2026-04-15 15:20:32 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:IaDIB9RE9AEyPq25f0dap9omFAHgQe76gvLs:DDIpEuEyd0d1mF+jQ6gw
Threatray 170 similar samples on MalwareBazaar
TLSH T194F0E109BA70F25001319A25DEF2E89DFC9F40AB542373042374CB159F3512E8B15146
Magika powershell
Reporter JAMESWT_WT
Tags:187-77-255-35 hostingshared99-com paymentsv2-mysynology-net ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dfacf6f68adfe1003a19af
Tags:
autorun delphi
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69dface7d920e19044fcee21/reports/8780c114-0a88-46fb-b13e-6dd559fb17bf/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-15T12:33:00Z UTC
Last seen:
2026-04-17T08:31:00Z UTC
Hits:
~100
Detections:
Trojan.PowerShell.Strion.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611/results?tab=lookup
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-15 14:42:40 UTC
File Type:
Text (PowerShell)
AV detection:
2 of 24 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ya7o2fx4amqaysalbsdkc4fb655df6vvql7yk4nx565whx4nsyiq._file
Verdict:
suspicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
555f42c53dfd9c633f242ef3baca797365c2daee9af2475db2171d6fc2cd2b57
6968840ce1b13d50d13f7f0320a2e5d66bfd97073f325231edc58ec85e694b6b
8994d6ba13561a3fca2fca333213a65b7173103c646416508b6755d500ad52e1
96ad97bd3816ebd44d00a42a667b31dec54fce719d07c6bcad5625d1791f887c
a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
ab2072ea9875d18f277462b80b10835a54c863ef4545a8ba821fff05291bc592
b0d8888f52eb7652d792a3baef6e73445c9ee234359e14ded43054a3c3e425b0
bfff6225f4fbbf9e36322240185935d0321763893c579f4e77b6efa520d5ab31
c288428684bf7ad78ef334011d5aa68b19a4aa73eb61122c126262acb9ad80ea
error
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution installer persistence trojan
Link:
https://tria.ge/reports/260415-srdyxabw9j/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Malware Config
Dropper Extraction:
http://187.77.255.35/script.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 c03eed16fc03200c480b0c86a170a1f77a32fab582ff8571b7efbb63df8d9611

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3822597/
  
Delivery method
Distributed via web download

Comments