MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89
SHA3-384 hash:	425cbfdf40dc06c6061b68cec6ae8cdf5e886cc212cb40dd198a819479a9497251e9cbffa7b996f391bfeb270cf25a18
SHA1 hash:	61321bf671a911b106bea5b7a86c4bd856091676
MD5 hash:	82ce7380bef42b8c5bd3b6a589bb7f9f
humanhash:	yellow-black-winter-zebra
File name:	PO# ENQ8864.Pdf.exe
Download:	download sample
File size:	1'286'973 bytes
First seen:	2025-02-26 11:47:53 UTC
Last seen:	2025-03-03 09:51:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep	24576:K5xolYQY6Du6J33O0c+JY5UZ+XC0kGso6Faa1Bs3jWy:dYSu0c++OCvkGs9FaavsSy
Threatray	58 similar samples on MalwareBazaar
TLSH	T14955AF2363CDD224D77681B2BE29B7557E7B3C310A60BC4B2F941E28797012266BD35B
TrID	33.9% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 23.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 17.7% (.EXE) InstallShield setup (43053/19/16) 12.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.3% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
dhash icon	65626363c383e221 (3 x SnakeKeylogger, 1 x zgRAT)
Reporter	adrian__luca
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO# ENQ8864.Pdf.exe

Verdict:

No threats detected

Analysis date:

2025-02-26 13:10:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2300ebe4-ca7e-49c4-9459-565b22011717

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Win.Malware.Swisyn-7610494-0

Win.Virus.Sality-6335700-2

Win.Malware.Swisyn-9942393-0

Win.Trojan.VBGeneric-6735885-0

Win.Virus.Sality-6747602-0

Win.Trojan.Kazy-304

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67beffe428ab76d43a5d4992

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit explorer lolbin masquerade obfuscated overlay packed packer_detected visual_basic

Link:

https://www.filescan.io/uploads/67beff8c6222db7f23dc3b33/reports/d69bd7f8-250b-4996-87d7-4935e8174f99/overview

Verdict:

Malicious

Labled as:

Trojan.Swisyn

Link:

https://www.hybrid-analysis.com/sample/1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MOFKSYS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76868588-dbfc-4985-be40-90f8b6b99a5d

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1624645

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious Double Extension File Execution

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89/

Threat name:

Win32.Trojan.Golsys

Status:

Malicious

First seen:

2025-02-26 11:48:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpyrbz4tdpsizith2zdbxhdlv7vssyutkmh5gszq7hx7bgbcdoeq._file

Verdict:

malicious

Label(s):

mofksys

94e024435cc8cafb2705bf98e9551feaa5d2ab426fcbcef9efde59fe9ccb9e53

9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760

c362ad9f9f4035ccc651762387b567234b98f24d73e5588f0ab35c7face15fab

d0a427ef5fa5496840ff480c1ba3f2b4a533d516f6fff8b012e131a4d5f6ddc6

d21725f320089d0f7dfbaa3a3a16545c0442f3b207089fb9faf1b489f9a5d6d2

d4409a190a74dd98d16c9818b60040256a024733be1e9f151dd46e3c4243abcb

eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6

error

+ 48 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250226-n3hc9ayn15/

Behaviour

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

trojan Win.Malware.Swisyn-7610494-0

YARA:

Windows_Generic_Threat_2bb7fbe3

Link:

https://app.threat.zone/submission/154db6a9-2d7c-4d0a-864c-66d3d9202500

Unpacked files

SH256 hash:

1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89

MD5 hash:

82ce7380bef42b8c5bd3b6a589bb7f9f

SHA1 hash:

61321bf671a911b106bea5b7a86c4bd856091676

Link:

https://www.unpac.me/results/f2b4bf2b-b554-4a3e-b46d-47b72ff1fcc1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_Imphash_Mar23_2 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_2bb7fbe3 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 1bf110e7931be48ca267d6461b9c6bafeb296293530fd34b30f9eff098221b89

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaCopyBytes MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaExitProc MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample