MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04
SHA3-384 hash: 7a9bf25dcbbbd0df16d0ad305dfd1cf5b80491dffc885c465ae9eb70086b1c23cc88f349b458558aa1e9a4c7a9e9c91b
SHA1 hash: 282ab69dca5fca5d63fd010cc864ef0f22c3b86d
MD5 hash: cd0bdd4981c265aaf47df66c50b01ad3
humanhash: north-artist-stairway-salami
File name:2surionimyeaqa.zip
Download: download sample
File size:6'464'641 bytes
First seen:2026-03-23 07:05:43 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:06lt01fo5EbEMj+0uU+HB/OGUElH6XU8YYlbHXUZZft6:0uag5EbEc+rU+h/PUEl0U8YYlbEZBM
TLSH T1AB563332F42C55C6C43BE4BDD0E31BD583E2230ED587D47A95A23AC4B4E278A48DDA5B
Magika zip
Reporter JAMESWT_WT
Tags:booking FakeCaptcha thairefaruq-com zip


Avatar
JAMESWT_WT
exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
IT IT
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:psl.exe
File size:66'144 bytes
SHA256 hash: 12c931dbfa907d4e394fb928f3a8a27ed7e5bf203578dabcd65bb2dd5f2f1280
MD5 hash: f83c15cdcf054820008944d8366b6f24
MIME type:application/x-dosexec
File name:libintl-8.dll
File size:311'976 bytes
SHA256 hash: 014537629d17e625e3f3052e59b5aaad80233af0191b950367b7db06228b46de
MD5 hash: 5ff474738f95cd79dfad97305ff6c6fd
MIME type:application/x-dosexec
File name:libidn2-0.dll
File size:257'408 bytes
SHA256 hash: c6296ac4f38ab5f6b66ccea54f337eb61e4b4c64c6cbef9b422d40906102ed23
MD5 hash: dd739331842b79885453706d874a4366
MIME type:application/x-dosexec
File name:msys-intl-8.dll
File size:121'856 bytes
SHA256 hash: 9517978d663b324f80b3ad454e0f6a99db9cbd5022e98cea93808ddd64630aed
MD5 hash: 07bb931d03cfaf310b0369175797c719
MIME type:application/x-dosexec
File name:libunistring-5.dll
File size:2'236'904 bytes
SHA256 hash: 351ab6db834de03308e468a660dd93cb76d1e60aa213c7fce1c36603c431b7ba
MD5 hash: f6027bba63f798a5db8ce3f43bfda60e
MIME type:application/x-dosexec
File name:msys-2.0.dll
File size:3'371'536 bytes
SHA256 hash: 7ad917358bf910168a051aa46670fc5fbe300cd5e63fa2691ca6909237332118
MD5 hash: 8e727844e0eed3e4b14d2d87195d71b8
MIME type:application/x-dosexec
File name:libpsl-5.dll
File size:2'771'456 bytes
SHA256 hash: a1fcfd050bda05674aa652bd63035211f7a872e3e8d6a9b91cad795578207d40
MD5 hash: d2c9fce5e948c308d7ba88386663be55
MIME type:application/x-dosexec
File name:msys-iconv-2.dll
File size:1'108'800 bytes
SHA256 hash: b76044939dd5d6c6b7cf0d0cf877db6a2d8d7fd433212b78c837ba58f77a1775
MD5 hash: c29ee585eb10ad99a3a87aad2a772517
MIME type:application/x-dosexec
File name:msys-psl-5.dll
File size:83'128 bytes
SHA256 hash: 465a677a62faf17255a910e52ec595e277831acf471048e84229a60417f0e7d1
MD5 hash: fbef212371b36a54980ac886bee50b4e
MIME type:application/x-dosexec
File name:libiconv-2.dll
File size:1'146'840 bytes
SHA256 hash: 9740c8a8351587206aff71a976b9fea7457e59126807216b2e76f68a41579ed4
MD5 hash: 9a47e690745d2abf439b3466abb0ec16
MIME type:application/x-dosexec
File name:msys-unistring-5.dll
File size:2'074'976 bytes
SHA256 hash: 7c6c656d2413d2398f99de4616416319eaea0d9f91ab8a6efa953b2fe7def760
MD5 hash: 5374fcf8f138a6a0f84cfa8a3602e59c
MIME type:application/x-dosexec
File name:msys-idn2-0.dll
File size:207'760 bytes
SHA256 hash: 7912f8204e5b57fe00d59f9b346fcc04137237c879e0af48d2e6167fc21cb937
MD5 hash: fd464b8caab9e46e6a917f490b6b8643
MIME type:application/x-dosexec
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/bc877c0a-38e3-4bda-9b96-6ea510997485/
Detection(s):
SecuriteInfo.com.W64.Kryptik.GPF.tr.3708.12692.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a74030002d37d5c98341b2
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04/results/dashboard
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04/results?tab=lookup
Score:
89%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/cd0bdd4981c265aaf47df66c50b01ad3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Suspicious
First seen:
2026-03-21 14:06:21 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmxmxjvss2verwr543m4evvo5da26r2fjvggtv7icln6l5su3uca._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260323-kqlncsez81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 1b2ecba6b296aa48da3de6d9c256aee8c1af47454d4c69d7e812dbe5f654dd04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3801134/
  
Delivery method
Distributed via web download

Comments