MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74
SHA3-384 hash:	98c2f5e33f7f9e80470b930e99232e57a133683e2bbcfd3f2926f2fab0765fad6b7a491a0fbd2276f1723ea40497a0f2
SHA1 hash:	e7afbf0ec86783679b09a8da19499266eb31ef9e
MD5 hash:	55aff2d198c99a071422848a9286c5c5
humanhash:	lactose-hot-quiet-johnny
File name:	pm.K-ebK8S8.exe
Download:	download sample
File size:	1'801'728 bytes
First seen:	2025-08-20 00:12:46 UTC
Last seen:	2025-08-20 07:19:01 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:sSmOI21uRG1QZ9KCS/q3V3y1TAdXZeWebK1Rz1pSh2SAuh2UUIGD22RrlzgvT:FmM316BSy3VQAdsWRRafAuhTU42R5c
TLSH	T1588523137F4683B1C2190B7AE4A5547403F5D78AB263FA1A399E13216843FFDC6A5387
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	cnr-software-ru exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74.exe

Verdict:

Malicious activity

Analysis date:

2025-08-20 00:14:15 UTC

Tags:

auto-startup pureminer netreactor

Link:

https://app.any.run/tasks/c54880ae-efee-4f37-b92f-65a5404b8a2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22360/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.68669596.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a513288fd55a79c5295178

Tags:

phishing autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Connecting to a non-recommended domain

Connection attempt

Creating a window

Sending an HTTP GET request

Creating a process from a recently created file

Creating a file

Searching for the window

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Searching for synchronization primitives

Possible injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated obfuscated packed packed

Link:

https://www.filescan.io/uploads/68a51327ba1f5bb1e60da9af/reports/d718d6d4-29e4-472f-b175-e0676f7d7784/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fef950e4-edd9-4ee9-9990-e148daf74c30

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74/

Verdict:

Malicious

Threat:

Trojan.MSIL.Inject

Link:

https://tip.neiki.dev/file/40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

Threat name:

ByteCode-MSIL.Infostealer.Tinba

Status:

Malicious

First seen:

2025-08-20 00:13:29 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ic4nw4pmgwvviwnjrqg6lrgr34f4axwrwyckpzsx6cmbrfqevj2a._file

Verdict:

malicious

Label(s):

purecrypter

Similar samples:

error

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/250820-ah1r7sypv7/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops startup file

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e561f5e4-1fe8-452d-ab5d-e7df53d62abb

Unpacked files

SH256 hash:

40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

MD5 hash:

55aff2d198c99a071422848a9286c5c5

SHA1 hash:

e7afbf0ec86783679b09a8da19499266eb31ef9e

Link:

https://www.unpac.me/results/7c2efbb8-a5f3-4644-b6d7-3c40252e4055/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 40b8db71ec35ab5459a98c0de5c4d1df0bc05ed1b604a7e657f098189604aa74

(this sample)

Cape

https://www.capesandbox.com/analysis/22360/

URLhaus

https://urlhaus.abuse.ch/url/3607081/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample