MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54
SHA3-384 hash: 2047ce7b2d33349de566e997674b09fb6989f21c27e38acae289cf69f9346de4f675bd59b9c9651ecc08c71d9f1cb740
SHA1 hash: 5c7da0fc8f5e8789992d947171f94999d2c230f2
MD5 hash: a0399a0d7f669bdfc2b357157f146dcf
humanhash: july-lamp-berlin-foxtrot
File name:cp_sh.eml.zip
Download: download sample
File size:14'993'769 bytes
First seen:2025-02-09 17:07:54 UTC
Last seen:2025-02-14 16:24:59 UTC
File type: zip
MIME type:application/zip
ssdeep 393216:bawY0/DUDLmPOMdYGOvEbmVf9FpyE2/1TAIyj4VBYTf:bawYoIDKPDOP1yn1TAItVef
TLSH T1B6E6BBDEED528693EE281168D14DD2BF0D8C8F0425BAD840F3B1C4BDD716FA18629F5A
Magika zip
Reporter aachum
Tags:62-60-234-80 cp-sh file-pumped HIjackLoader zip


Avatar
iamaachum
https://u2.latenativereunion.shop/cp_sh.eml

C2: 62.60.234.80

Intelligence

File Origin
# of uploads :
3
# of downloads :
513
Origin country :
ES ES
File Archive Information

This file archive contains 24 file(s), sorted by their relevance:

File name:cpfe.dll
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:844'367'354 bytes
SHA256 hash: 4fdcac3f2019fc7e98a60373e4b263a605dbabe2965fdc7cc5348523c24f8d35
MD5 hash: 8ad7a03464add60f0cac8cabb2385b6c
De-pumped file size:5'156'864 bytes (Vs. original size of 844'367'354 bytes)
De-pumped SHA256 hash: c93eb39b1042b83c46816c9558e865f14af96f972730626e81d7eb53b8045eb0
De-pumped MD5 hash: eac01f58e7f60c7d40db53b061bc1346
MIME type:application/x-dosexec
File name:dbxinf.dll
File size:267'240 bytes
SHA256 hash: b566905fb89af2d16dd8171443fc8264842313170f6cd346cb334ad91ad1f172
MD5 hash: fe7ad2d966ae5f94b8c1a738a1475b3f
MIME type:application/x-dosexec
File name:vcldb290.bpl
File size:541'160 bytes
SHA256 hash: f3b056dd4cf62fc71b3f2b51f71c66651e51c8fcd63e89f6a98675921cfa806d
MD5 hash: 2f377223d522cb65d97985f74cdfd4d8
MIME type:application/x-dosexec
File name:vclie290.bpl
File size:1'104'872 bytes
SHA256 hash: 8e46646b371d0a100eae3852775d416bf9669e4e20e98abf744993595687fd0b
MD5 hash: 50daa52cb7544673646693cfb80bd040
MIME type:application/x-dosexec
File name:dbxasa.dll
File size:413'672 bytes
SHA256 hash: 8505bf81aefb0d3cc8f9898241875faf47a4d7476fbfc26fe6fb3a7bdab4d3ee
MD5 hash: 3e3e825275c968acb0570c16b5cbc7bf
MIME type:application/x-dosexec
File name:cassoulet.pkg
File size:56'347 bytes
SHA256 hash: e68bce3f61193576d743fcd7f4cf6ce98ca57b0e3db3ca2bc46d41ccf0d5b9a9
MD5 hash: ac65af3eb9bada3d75d7f2c9f86d8273
MIME type:application/octet-stream
File name:vclhie290.bpl
File size:61'928 bytes
SHA256 hash: 49f81b7a066a2e43e38b57bfca63531b118491799af734fc257e905c81af91cf
MD5 hash: 8346d71664788636023289bff7aae163
MIME type:application/x-dosexec
File name:vcldbx290.bpl
File size:93'160 bytes
SHA256 hash: 7bced8029b0add4381db86b54ec78bd8966890dbeae12d6aa378d0ed6ce92c9b
MD5 hash: 11b0604585d58de18f7fd7a21c7cae7d
MIME type:application/x-dosexec
File name:dbxfb.dll
File size:290'280 bytes
SHA256 hash: a10d2c096f3d7ca6e16fb6c14a16c455693d35783f401489eba78b1e564c39f6
MD5 hash: fbe21c0e2fd44e82896f6274fe7acaec
MIME type:application/x-dosexec
File name:dbxmss9.dll
File size:286'184 bytes
SHA256 hash: 5222053db19e1f89487811540ccded50838ccdfb00fa1add071a108e614d91d4
MD5 hash: a36e753bd4a287c5418cbf9f36ba95f0
MIME type:application/x-dosexec
File name:BORLAND_SIG
File size:178 bytes
SHA256 hash: 9d02dadc66fd63c366401231c8e49649291b17b1e1672aeb45cbcf9d5d5a1323
MD5 hash: dcecb1f909d1ff37b2adfa9cbacc4478
MIME type:application/octet-stream
File name:vclimg290.bpl
File size:363'496 bytes
SHA256 hash: 121fcfc98fd850bafcb444b8262cc645b2dd12fec4e9dde37798eda5df581009
MD5 hash: 8da1cc2f7fee2b1440ca4c2b48d7f991
MIME type:application/x-dosexec
File name:vcruntime140.dll
File size:90'704 bytes
SHA256 hash: e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04
MD5 hash: 984c36e57e47581e267151aca04e9580
MIME type:application/x-dosexec
File name:dbxmss.dll
File size:286'184 bytes
SHA256 hash: ca241b788654ca4f88ef5d306f904a0cda376471e9a9b00dd4155be90619095c
MD5 hash: 9716a6a99a7ff149a94f8f10400e9d49
MIME type:application/x-dosexec
File name:airstrip.eps
File size:6'015'798 bytes
SHA256 hash: dac4389e990c7238ba6ee08e0505cea5ddabaf4d8dc38354c47d18de1624f43d
MD5 hash: 93fd78e011ac0e5255ed8bc3d652fd13
MIME type:application/octet-stream
File name:concrt140.dll
File size:260'176 bytes
SHA256 hash: 0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526
MD5 hash: f36dae6ea00f102b60a5011af0732123
MIME type:application/x-dosexec
File name:dbxint.dll
File size:288'232 bytes
SHA256 hash: ac0ee866a26de6b71295715025df095104f7d0e3f2a8558f01b67666b5e27ec0
MD5 hash: ceb6096849db0899b4b60c0d6e58b785
MIME type:application/x-dosexec
File name:msvcp140.dll
File size:448'592 bytes
SHA256 hash: 4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e
MD5 hash: cdae969102e88f6704d853f9521eedd2
MIME type:application/x-dosexec
File name:dbxase.dll
File size:282'600 bytes
SHA256 hash: 429834aff3ec005aee44282a039fa822547373936bb41b4e6b0073fb25508b03
MD5 hash: 019f61f5bf96f5b80a846efef7ffe931
MIME type:application/x-dosexec
File name:dbxmys.dll
File size:263'144 bytes
SHA256 hash: 1ac17f8c447e33c450c82c76d0ad36f4d140a0151bc612f5de1185264b8c36f6
MD5 hash: f21b46b7323d8f6d85e8f8cc2d255677
MIME type:application/x-dosexec
File name:vcl290.bpl
File size:4'426'216 bytes
SHA256 hash: 92ba4c51e0f68158fcc6fe67ce587ac0c2b3e28db5ca6e19c5a297e872ec1963
MD5 hash: 3e043a4959d3e68162b06dcdb758fab0
MIME type:application/x-dosexec
File name:vcpkgsrv.exe
File size:1'496'680 bytes
SHA256 hash: a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089
MD5 hash: 38901633c833cba7f682472ced0dbe4b
MIME type:application/x-dosexec
File name:DbxDb2.dll
File size:272'872 bytes
SHA256 hash: ab1f8b62416ca7390987c8616cde1e3cf8685d867a350527cdea15fd3b9a014e
MD5 hash: 438658d2d42b2417afd34bacec6a55aa
MIME type:application/x-dosexec
File name:DVCLAL
File size:16 bytes
SHA256 hash: 88d14cc6638af8a0836f6d868dfab60df92907a2d7becaefbbd7e007acb75610
MD5 hash: d8090aba7197fbf9c7e2631c750965a8
MIME type:application/octet-stream
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a8e2bfd010e522d1b83ce2
Tags:
injection packed obfusc
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
45%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f73cxwxp5wa4mlhsflw3ogeuksja6onhhpydh3y2i6mwy4hjfnka._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_Debugger
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

zip 355f8d6cc33aa0ad0327924506d3e8f4f2f125a89803aacc4c8c4f5282505535

LummaStealer

Executable exe fe279da9602e93be71218b082eec7e04650ef6e091dd51948ed6e2818a8e78c3

zip 2ff62bdaefed81c62cf22aedb7189454920f39a73bf033ef1a47996c70e92b54

(this sample)

DLL dll c93eb39b1042b83c46816c9558e865f14af96f972730626e81d7eb53b8045eb0

anyrun
any.run
https://app.any.run/tasks/b958337f-fab8-44f7-816a-9f0b87af1085
  
Dropped by
SHA256 fe279da9602e93be71218b082eec7e04650ef6e091dd51948ed6e2818a8e78c3
  
Dropped by
SHA256 355f8d6cc33aa0ad0327924506d3e8f4f2f125a89803aacc4c8c4f5282505535
  
Delivery method
Distributed via web download
  
Dropping
SHA256 c93eb39b1042b83c46816c9558e865f14af96f972730626e81d7eb53b8045eb0
  
Dropping
MD5 eac01f58e7f60c7d40db53b061bc1346
  
URLhaus
https://urlhaus.abuse.ch/url/3434389/
  
Dropped by
MD5 7372c194bb0caffbb92a61f2ad553e84
  
Dropped by
MD5 80e2ea1d445e6a8b8fc53db3e6371e27

Comments