MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a580bb0304e1bec361d6ca63f927546d2f6dabc1f288c22570f7bddbeae6786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 23 File information Comments

SHA256 hash:	0a580bb0304e1bec361d6ca63f927546d2f6dabc1f288c22570f7bddbeae6786
SHA3-384 hash:	c38b3b9cfc3645b099c7d847edfa4be3b5472b7435beec52b6ca54a0d7c6ebb62bb99153a5565091336d06e559661f54
SHA1 hash:	bfb90d4412997743d689dea625af247554973470
MD5 hash:	616401e9e219678e74b86717cc3e88f4
humanhash:	hydrogen-magazine-tennessee-avocado
File name:	New Order 31326.arj
Download:	download sample
File size:	1'607'168 bytes
First seen:	2025-02-10 09:11:47 UTC
Last seen:	Never
File type:	arj
MIME type:	application/x-rar
ssdeep	49152:c7owV9dmOZIr1wl02VkRRgDPzhOW9OD++pHzv:UowAOZIr1wl02eRgD7hpOlpHz
TLSH	T1D875336A6D5D36677EC25DCC4C03AD253F1D18E8BBF0FA2AD801DDD3A12F6A36205462
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	arj

cocaman

Malicious email (T1566.001)
From: "Evgeniy Kalush <cjowwx@optonlaser.com>" (likely spoofed)
Received: "from 62-210-11-50.rev.poneytelecom.eu (unknown [62.210.11.50]) "
Date: "7 Feb 2025 09:32:35 -0800"
Subject: "New Order 31326"
Attachment: "New Order 31326.arj"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:	vcruntime140_1.dll
File size:	36'424 bytes
SHA256 hash:	d34288fcb286d4e2056f969767a65f09cf6e71ad27fe3af4edd1584cd95fd55f
MD5 hash:	f124d735ebff3330b5b6cfa7df1c17be
MIME type:	application/x-dosexec

File name:	BugSplat64.dll
File size:	2'619'392 bytes
SHA256 hash:	d84ab36226aa91f630bfd6a5ace4bb48d8550ac864f1987f55c9bf85c1b3af97
MD5 hash:	0e467111347ba6ac997824ebf06ce1a5
MIME type:	application/x-dosexec

File name:	New Order 31326.exe
File size:	262'096 bytes
SHA256 hash:	ad4cd780bd7accd7482dcf6222910aafee971c7ab870ebae0022d51b237fa5cb
MD5 hash:	2a39ab7049226dec986fa602a26f5372
MIME type:	application/x-dosexec

File name:	vcruntime211.dll
File size:	379'408 bytes
SHA256 hash:	2acd3cea22773fdf55f14c38534f56d1ad52227bbbeb6c7bdae0dbaa49becdb5
MD5 hash:	5eaee2806e7188a16a15d36c91e49ffc
MIME type:	application/x-dosexec

File name:	vcruntime140.dll
File size:	86'296 bytes
SHA256 hash:	de6ca787d0e0a30810fea570db867199d32ed71867e1c36a0f58ed71d540f035
MD5 hash:	3e746699828f9e9aab45b8f1c3cea4a1
MIME type:	application/x-dosexec

File name:	vcruntime210.dll
File size:	32'928 bytes
SHA256 hash:	b47ac5d5cb2fd68f574a3b9439f68050725499c9d8973ff7bc55b56ffc8d33a7
MD5 hash:	f8bd38baef9deb2426c3f53fc90625dc
MIME type:	application/octet-stream

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a9c3f1f667f46cd182c96f

Tags:

malware

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/0a580bb0304e1bec361d6ca63f927546d2f6dabc1f288c22570f7bddbeae6786

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a580bb0304e1bec361d6ca63f927546d2f6dabc1f288c22570f7bddbeae6786/

Threat name:

Win64.Trojan.Alevaul

Status:

Malicious

First seen:

2025-02-07 12:13:37 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjmaxmbqjyn6ynq5nstd7etvi3jpnwv4d4uiyisxb5553pvom6da._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a580bb0304e1bec361d6ca63f927546d2f6dabc1f288c22570f7bddbeae6786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)