MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14
SHA3-384 hash: 5581cfa60abf8923be9231617fff6269cf17a17f9a234ad0906f413ee8ba5a8c32aacc09c5892b7124de721feffc84e1
SHA1 hash: eb7061b7ba5f373ff6ed8dbdab28bdf6c627fdc5
MD5 hash: d08b5b42cd398f32295fa9b2963380b3
humanhash: wyoming-chicken-stream-emma
File name:15771_.ps1
Download: download sample
File size:83'356 bytes
First seen:2026-01-27 20:07:14 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:13yUBqdjC1Jx2OaQoEhzsjN5wk+krKngac6A4jz7Yl:13hqdu1DxoiiN2k+qKni4bYl
TLSH T161834BE237DEBEC75E01774B648C5EAD0B4FC9244983E3D485C74AE4580F4AA36E099E
Magika powershell
Reporter smica83
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69791b3c6fa3eed1652fa08c
Tags:
ransomware shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated opendir
Link:
https://www.filescan.io/uploads/69791b38a57b6af70d0f4f0a/reports/d8bef97d-a17e-4643-9ff8-f30a0fcbf20f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14
Verdict:
Clean
File Type:
ps1
First seen:
2026-01-28T00:41:00Z UTC
Last seen:
2026-01-28T00:54:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1858588
Signature
Creates autostart registry keys with suspicious names
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1858588 Sample: 15771_.ps1 Startdate: 27/01/2026 Architecture: WINDOWS Score: 96 102 rpc.payload.de 2->102 104 rpc.mevblocker.io 2->104 106 12 other IPs or domains 2->106 126 Suricata IDS alerts for network traffic 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Uses known network protocols on non-standard ports 2->130 132 2 other signatures 2->132 12 powershell.exe 15 1006 2->12         started        16 node.exe 1 2->16         started        18 node.exe 2->18         started        signatures3 process4 dnsIp5 120 nodejs.org 104.20.1.252, 443, 49689 CLOUDFLARENETUS United States 12->120 148 Found suspicious powershell code related to unpacking or dynamic code loading 12->148 20 node.exe 1 12->20         started        23 conhost.exe 12->23         started        25 node.exe 16->25         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        32 node.exe 18->32         started        signatures6 process7 dnsIp8 134 Unusual module load detection (module proxying) 20->134 34 node.exe 1 20->34         started        37 cmd.exe 1 20->37         started        40 conhost.exe 20->40         started        116 api64.ipify.org 173.231.16.77, 443, 49735, 49737 WEBNXUS United States 25->116 118 api.ipify.org 172.67.74.152, 443, 49731, 49732 CLOUDFLARENETUS United States 25->118 42 cmd.exe 25->42         started        44 cmd.exe 25->44         started        46 cmd.exe 25->46         started        48 5 other processes 25->48 signatures9 process10 dnsIp11 108 91.215.85.42, 3000, 49702, 49711 PINDC-ASRU Russian Federation 34->108 110 mainnet.gateway.tenderly.co 35.227.193.242, 443, 49695, 49704 GOOGLEUS United States 34->110 112 7 other IPs or domains 34->112 50 node.exe 34->50         started        136 Suspicious powershell command line found 37->136 138 Uses cmd line tools excessively to alter registry or file data 37->138 53 reg.exe 1 1 37->53         started        56 conhost.exe 37->56         started        58 powershell.exe 42->58         started        60 conhost.exe 42->60         started        64 2 other processes 44->64 66 2 other processes 46->66 62 net.exe 48->62         started        68 9 other processes 48->68 signatures12 process13 dnsIp14 114 api.my-ip.io 23.88.33.229, 443, 49733, 49734 ENZUINC-US United States 50->114 70 cmd.exe 50->70         started        73 cmd.exe 50->73         started        75 cmd.exe 50->75         started        79 5 other processes 50->79 140 Creates autostart registry keys with suspicious names 53->140 142 Loading BitLocker PowerShell Module 58->142 77 net1.exe 62->77         started        signatures15 process16 signatures17 144 Suspicious powershell command line found 70->144 81 powershell.exe 70->81         started        84 conhost.exe 70->84         started        86 powershell.exe 73->86         started        88 conhost.exe 73->88         started        90 conhost.exe 75->90         started        92 powershell.exe 75->92         started        146 Uses cmd line tools excessively to alter registry or file data 79->146 94 net.exe 79->94         started        96 conhost.exe 79->96         started        98 8 other processes 79->98 process18 signatures19 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 81->122 124 Loading BitLocker PowerShell Module 86->124 100 net1.exe 94->100         started        process20
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ysa4cdg32h3y6f2innxvknqncpjpmfmneaq63bkweovdqm4snqka._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260127-yv6e8ac13f/
Behaviour
Checks processor information in registry
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c481c10cdbd1f78f17486b6f55360d13d2f6158d2021ed855623aa3833926c14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
commented on 2026-02-04 08:56:22 UTC

Related to EtherRAT, more info: https://x.com/greenplan_it/status/2018721179381510477