MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30
SHA3-384 hash: 8606cee884ef51aa22b1a663e5fe8289511d887b6ce6b8096de96c7687470bcdcaa97c11bf929679c61c548a2b2c6d86
SHA1 hash: 6c467af0be1b12805a1d8805c3bf94c6a1b99e37
MD5 hash: 91a88b6811d3a122b5560082fe6c2257
humanhash: massachusetts-sierra-oranges-blue
File name:DHL INVOICE.exe
Download: download sample
File size:1'274'880 bytes
First seen:2026-02-27 13:24:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1895460fffad9475fda0c84755ecfee1 (393 x Formbook, 119 x AgentTesla, 58 x a310Logger)
ssdeep 24576:Y5EmXFtKaL4/oFe5T9yyXYfP1ijXdaT8TQRVGhmebc8WM03JjX:YPVt/LZeJbInQRaT0wVGP/03J
TLSH T1E445BF0273C1C066FFAB95334F5AF6115BBC79260123AA2F13981DB9B9701B1563E7A3
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/73acb61e-c959-43fa-8ea1-39490d1ea3da/
Malware family:
n/a
ID:
1
File name:
DHL INVOICE.exe
Verdict:
Suspicious activity
Analysis date:
2026-02-26 08:52:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4359ff8b-b17e-4975-b6ee-2241f46add0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54861/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.35E5V6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a19b3cc950ab5d9ab21b85
Tags:
autorun autoit emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69a19b3dcd25bfe1dfdbe9a7/reports/ec21dbc5-439f-4c66-9da5-150055d34b6b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.Script.Strab.gen VHO:Trojan-Dropper.Win32.Scrop.apqz Trojan.Win32.Zenpak.sb Trojan.Win32.Strab.sb Trojan.Win32.Auzenpak.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Scrop.apqz
Link:
https://opentip.kaspersky.com/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f19bba7-ff30-448b-aef7-7feb784ff7dc
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875191
Signature
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1875191 Sample: DHL INVOICE.exe Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Sigma detected: Drops script at startup location 2->70 72 Binary is likely a compiled AutoIt script file 2->72 74 5 other signatures 2->74 14 DHL INVOICE.exe 4 2->14         started        18 wscript.exe 1 2->18         started        process3 file4 66 C:\Users\user\AppData\Local\...\untrashed.exe, PE32 14->66 dropped 98 Binary is likely a compiled AutoIt script file 14->98 20 untrashed.exe 2 14->20         started        100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->100 102 WScript reads language and country specific registry keys (likely country aware script) 18->102 24 untrashed.exe 1 18->24         started        signatures5 process6 file7 64 C:\Users\user\AppData\...\untrashed.vbs, data 20->64 dropped 80 Multi AV Scanner detection for dropped file 20->80 82 Binary is likely a compiled AutoIt script file 20->82 84 Drops VBS files to the startup folder 20->84 86 Found API chain indicative of sandbox detection 20->86 26 untrashed.exe 1 20->26         started        29 untrashed.exe 1 24->29         started        signatures8 process9 signatures10 92 Binary is likely a compiled AutoIt script file 26->92 31 untrashed.exe 1 26->31         started        34 untrashed.exe 1 29->34         started        process11 signatures12 104 Binary is likely a compiled AutoIt script file 31->104 36 untrashed.exe 1 31->36         started        39 untrashed.exe 1 34->39         started        process13 signatures14 78 Binary is likely a compiled AutoIt script file 36->78 41 untrashed.exe 1 36->41         started        44 untrashed.exe 39->44         started        process15 signatures16 90 Binary is likely a compiled AutoIt script file 41->90 46 untrashed.exe 1 41->46         started        49 untrashed.exe 44->49         started        process17 signatures18 96 Binary is likely a compiled AutoIt script file 46->96 51 untrashed.exe 1 46->51         started        54 untrashed.exe 49->54         started        process19 signatures20 76 Binary is likely a compiled AutoIt script file 51->76 56 untrashed.exe 1 51->56         started        59 untrashed.exe 54->59         started        process21 signatures22 88 Binary is likely a compiled AutoIt script file 56->88 61 untrashed.exe 1 56->61         started        process23 signatures24 94 Binary is likely a compiled AutoIt script file 61->94
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30/
Verdict:
Malicious
Threat:
VHO:Trojan-Dropper.Win32.Scrop
Link:
https://tip.neiki.dev/file/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 07:48:00 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chgn2nm4s7lw6k5gvdim4pgkbdh7dt3dr2xd6k6gxittfoehpyya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/260227-qn3fzsav6c/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
ff9bba947a3f079de603bf68cb779e2820360b38e5b0e42d0dfa3214f6fdf25c
MD5 hash:
55e40ed5049748111ac74e2337ad4f75
SHA1 hash:
cfb2bdc5cca197de3de3db16303c0c78612aa771
Link:
https://www.unpac.me/results/e1f20b53-a0bc-4bc4-ac45-8cee867cb2a5/
SH256 hash:
11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30
MD5 hash:
91a88b6811d3a122b5560082fe6c2257
SHA1 hash:
6c467af0be1b12805a1d8805c3bf94c6a1b99e37
Link:
https://www.unpac.me/results/e1f20b53-a0bc-4bc4-ac45-8cee867cb2a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11ccdd359c97d76f2ba6a8d0ce3cca08cff1cf638eae3f2bc6ba2732b8877e30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54861/

Comments