MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440
SHA3-384 hash: 8d73de5427bb276c9ec2c0e498c5e87429d9b3071d62c38930d46072710c47a84b7f586476052978b92e4725f6dadce3
SHA1 hash: 5fb6111801adada43d3e8f113df1c128bcb9ce00
MD5 hash: eb5e388eb61ebdc379339b7e27148243
humanhash: cardinal-mexico-iowa-oklahoma
File name:virus.zip
Download: download sample
File size:4'692'366 bytes
First seen:2025-12-23 10:50:30 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 98304:g+mKV5nNMD8dZAhrqh2xM200EOntYBuQ1mViqSPiFr:/mKV5nGDQ9olE+YuQ1mgqSqFr
TLSH T172263334D4C8857445C342F702625AD9E64A58893AE9B9B433D2F54EF6FE9A30203F7A
TrID 33.3% (.XPI) Mozilla Firefox browser extension (8000/1/1)
25.0% (.KMZ) Google Earth saved working session (6000/1/1)
25.0% (.WMZ) Windows Media Player skin (6000/1/1)
16.6% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter JAMESWT_WT
Tags:thepiratebay-st Virus zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
IT IT
File Archive Information

This file archive contains 5 file(s), sorted by their relevance:

File name:One Battle After Another (2025) 2160p AMZN.WEB-DL.HEVC.x265.HDR10.DTS-HD.MA.5.1-PSA.lnk
File size:1'890 bytes
SHA256 hash: 40667dce013f1fe4e91dd4aa50b72c5f2cd5e5c51bba1c6a5c95a528c8d5d74d
MD5 hash: 2e278a52c3a1eb83064f7d1e8f7714be
MIME type:application/octet-stream
File name:Photo.jpg
File size:3'476'830 bytes
SHA256 hash: 1276c71599940aa7444245fb4d6a2f25cd8b0d92e81cb769b18ef7877221b0a5
MD5 hash: 0c62db01c8dc4936abcb18a14cd260da
MIME type:application/octet-stream
File name:CD.lnk
File size:1'890 bytes
SHA256 hash: 3e50302290bb9a94c6849b431aeb26ca5d3342a40fcafeb855e649e7c13ae58a
MD5 hash: e5bfb42b625271e33ea944dc82d1653d
MIME type:application/octet-stream
File name:Cover.jpg
File size:3'479'487 bytes
SHA256 hash: 9deb26939a5b8e5d14457efc5b43240c65b924c4630dde424b006797d3014dfa
MD5 hash: 358f1e88258c56eeba27d67c91b491d0
MIME type:application/x-rar
File name:Part2.subtitles.srt
File size:282'877 bytes
SHA256 hash: d63296140a24ea73f92f018a744f0a472af371e43beed96be513dc90414a68e9
MD5 hash: f06201a73ebf02bddeaf0e91d3a99bec
MIME type:text/plain
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a74f91bc-e696-4902-9569-3e1f2782e5be/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Zip.LNK-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693d32a9bde6a3e597111190
Tags:
redirector virus sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440
Verdict:
Malicious
File Type:
zip
First seen:
2025-12-23T09:31:00Z UTC
Last seen:
2025-12-23T10:08:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440/results?tab=lookup
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440
Verdict:
Malware
YARA:
3 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell T1059.003 T1202: Indirect Command Execution T1204.002 Zip Archive
Link:
https://app.malva.re/file/eb5e388eb61ebdc379339b7e27148243
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-23 10:51:16 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7nvlnp6gghujlwjl4vfluitbus3sypdzu7abc444bccjsjsaraa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/251223-npgjssvrdw/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://go.dev/dl/go1.25.1.windows-amd64.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1fdb55b5fe318f44aec95f2a55d1130d25b961e3cd3e008b9ce04424c9320440

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments