MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c
SHA3-384 hash: ec017d12e7799434981636ccbb9425944eee8bbdbe6e27cad3145530cac0a503881ba058d187c330a045030fb69c6753
SHA1 hash: 7ea62f4b205d247f8d2dbea74c25a9e8db190943
MD5 hash: 28406d0b59f2c5b4fd52eafbf314757a
humanhash: butter-march-network-angel
File name:5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c.zip
Download: download sample
File size:8'936'383 bytes
First seen:2025-03-18 11:13:08 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:SbJwZm7rubDBzthdb9DUcqyxutMo4tvMoMfFf1i+7eKQZM90:SbJw7DNth19DWkoM16oMf91iqeK0b
TLSH T1FE962229F4593671E84EC5B401B00EA403E4BD35237F87C422B5759F96ABFAE9B70A34
Magika zip
Reporter JAMESWT_WT
Tags:DropBox file-pumped guninfoo-run--ASDgqwe zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:AgnotSecurity.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:702'502'578 bytes
SHA256 hash: 44e70fdb915e1940cd7ecaf9c1b0402f2fc240ddfee44858fd6afd8bbc0cb7e2
MD5 hash: 3e7f13cd6f2062235945c31a3be7886b
De-pumped file size:9'339'392 bytes (Vs. original size of 702'502'578 bytes)
De-pumped SHA256 hash: c490e61341406bea452bfc8db9a77eb4636eb2ccdd8d70e133aa2537ee90858d
De-pumped MD5 hash: 3d3893a2d4e6e641f0fdeadd0596105f
MIME type:application/x-dosexec
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9608e08116ce425722483
Tags:
shellcode virus
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug bloated fingerprint invalid-signature large-file microsoft_visual_cc overlay packed signed
Link:
https://www.filescan.io/uploads/67d95549dab9a7b6c595b0aa/reports/c41ef9e2-5711-4288-9702-4d162e4174f1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 13:46:55 UTC
File Type:
Binary (Archive)
Extracted files:
68
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lernjlqhhzawiuirtak6yasd4oompzie3tdxitbe5chwbulfb2oa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250318-rqvplayky3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks for any installed AV software in registry
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

zip 5922d4ae073e416451119815ec0243e39cc7e504dcc7744c24e88f60d1650e9c

(this sample)

Executable exe c490e61341406bea452bfc8db9a77eb4636eb2ccdd8d70e133aa2537ee90858d

  
Dropping
SHA256 c490e61341406bea452bfc8db9a77eb4636eb2ccdd8d70e133aa2537ee90858d
  
Dropping
MD5 3d3893a2d4e6e641f0fdeadd0596105f

Comments