MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406
SHA3-384 hash:	436386d43426484fddf99a561449c612c96792487578a31fdeb3d4b21c3f835ad28a6023f40dfc8f1b617bf6e10ccd7f
SHA1 hash:	a0c82fda2fd6fe34e9c39f8aecaf279d5543474d
MD5 hash:	12a36d188d07420d5d20273b835d47e8
humanhash:	montana-mexico-football-hamper
File name:	photo-529383169.zip
Download:	download sample
File size:	5'485 bytes
First seen:	2026-05-26 10:28:12 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	96:rb4NdOVJETkFeyV+5RXA5lkrvEkbmf/JjrlVaVnQ+1JKsDqHpUJ:fjVJECVuWkr8amf/JPlUVnQuKS+6
TLSH	T109B17D283E8B14C8C02B93BB6EC0FE447575D1E697D168DA93EA5444D73974F0A91701
Magika	zip
Reporter	smica83
Tags:	zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	MP-344934001.mp4
File size:	4'226 bytes
SHA256 hash:	0382056d7cb04b4e7b8173a4482be3a052492978553c49b29ac7347e498e6ad9
MD5 hash:	376b4e8d9a76c43d8e479810704f3aa5
MIME type:	application/octet-stream

File name:	IMG-845246947.png.lnk
File size:	2'087 bytes
SHA256 hash:	2a2c60256bfd9bb44aff42bbb520773585ca4b2fdd0cd6b68a2c98615a5e574d
MD5 hash:	c857c015740acb1a95758d046ccb1cca
MIME type:	application/octet-stream

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4cc49db2-7f7f-4f57-aa21-fd61f5141850/

Detection(s):

Sanesecurity.Foxhole.Zip_png.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30517.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30537.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLook.20220523.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.Guinnesses.M2.20220719.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a1575c45b1db29f5a47fc9d

Tags:

infosteal rapid

Result

Verdict:

Malicious

File Type:

LNK File

Link:

https://app.docguard.net/0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive masquerade powershell

Link:

https://www.filescan.io/uploads/6a1575c1e05d89b3613ddb41/reports/e3e7fde9-c5a4-4707-a636-1f77baa39e03/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406

Verdict:

Malicious

File Type:

zip

First seen:

2026-05-26T08:28:00Z UTC

Last seen:

2026-05-26T08:42:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406/

Threat name:

Shortcut.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-26 10:29:41 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 35 (34.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bqk75mjckheh6dwofgsdpdsehapm53yb3576wpqolxsqeixmeqda._file

Result

Malware family:

n/a

Score:

10/10

Tags:

execution persistence

Link:

https://tria.ge/reports/260526-nh4ezsgv4m/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Badlisted process makes network request

Malware Config

Dropper Extraction:

https://nodejs.org/dist/v24.13.0/node-v24.13.0-win-x64.zip

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c15feb12251c87f0ece29a4378e44381eceef01df7feb3e0e5de50222ec2406

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_SuspiciousCommands Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample