MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68
SHA3-384 hash: 1ee5162bf1b02ef23125ec018da88561bc0122e0456764df2c9d0d0475a035c21f571d4d569364413c7cd5b9ce8c2389
SHA1 hash: 24bb090f2ab7b16b367c5405104931348dab6eb3
MD5 hash: 05990ef9d0cfb0e2c427641c05824bb1
humanhash: bakerloo-nuts-mango-emma
File name:Comprobante_Facturacion_55342918C.pdf.exe
Download: download sample
File size:20'085'248 bytes
First seen:2025-12-10 10:15:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9a1dab1b356dabe646a14b95d3dd580
ssdeep 49152:PWviDKgv1Mx8V2m2gW7Na4mH3wrnGmm3hjon6AT11h7k5HJxNtrjFFCxaQSZ1dS5:PpDTSbmKpaxH3wrGmm3ni
TLSH T11E172311BBD18C37C43706389C2B9BDD6E25BE101D2899EB37F17D4D2E3A7827819296
TrID 30.1% (.EXE) InstallShield setup (43053/19/16)
29.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
18.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
7.3% (.EXE) Win64 Executable (generic) (10522/11/4)
7.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
dhash icon 0058e8f0f0f06800
Reporter 1ZRR4H
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
CL CL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68.exe
Verdict:
No threats detected
Analysis date:
2025-12-10 10:16:50 UTC
Tags:
delphi upx
Link:
https://app.any.run/tasks/c28867b1-068a-4570-b8ef-e7885a25db52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44135/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69394845a675b653bd0fa9d7
Tags:
underscore vmdetect
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 borland_delphi fingerprint installer-heuristic keylogger masquerade packed tiger
Link:
https://www.filescan.io/uploads/6939483d900ee247e8410860/reports/31b41f88-033a-45e0-b8c7-a2381e40e578/overview
Verdict:
Malicious
Labled as:
Giant.Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-01T15:57:00Z UTC
Last seen:
2025-12-02T10:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Inject.sb BSS:Trojan.Win32.Generic HEUR:Trojan.Win32.Inject.gen
Link:
https://opentip.kaspersky.com/03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68/results?tab=lookup
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/05990ef9d0cfb0e2c427641c05824bb1
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Inject
Link:
https://tip.neiki.dev/file/03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 10:16:24 UTC
File Type:
PE (Exe)
Extracted files:
390
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=am3jx45i6d7ovppwwfxhmqhw6qho2wuwx7ygvccp6mhrb5k3lnua._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/251210-mafhhsymdx/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0bdcb9f1-e1fb-47d0-8452-ba4ad1e06cfe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/03369bf3a8f0feeabdf6b16e7640f6f40eed5a96bff06a884ff30f10f55b5b68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44135/

Comments