MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4
SHA3-384 hash: e4d90ab053089fdf36c6388181d5f9965cb9c898c4eb0fa10d91bc3c5433b4a091d85e2dbf241fe9302e88adc6e37861
SHA1 hash: b7f4e99a0b9585b53a80e06200850d560d6455a8
MD5 hash: 12d1b84ed1d5440a3a713482726f32cf
humanhash: fanta-blue-delta-cup
File name:Lawwasoft.zip
Download: download sample
File size:3'365'735 bytes
First seen:2025-12-22 20:03:58 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 98304:KMJA8TJEqFiYRv7GveZ375fyYHdd6f1vCX0CI+rXf3D:KMFTJLFiYRv7GM37NldM16/RrvT
TLSH T104F556C78AC11EC7DDC45838AC7B4F705A30C8AEF856CA579B32A6699FC73909C1A44D
Magika zip
Reporter burger
Tags:file-pumped zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
NL NL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Lawwasoft.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:859'832'320 bytes
SHA256 hash: 6d225fdec313989b6f5962fa4fc9708c2cbda416e9ce595743439df2bdcbf99d
MD5 hash: be6ead562173a334fb975b1b5d539a62
De-pumped file size:2'154'496 bytes (Vs. original size of 859'832'320 bytes)
De-pumped SHA256 hash: f9c11409aeda4da9d5b73afb5d7f61af703f04c73f24604a8434049087b33fe0
De-pumped MD5 hash: 965a5a3852e8722225b0d225e183533b
MIME type:application/x-dosexec
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e479b8bf-6e32-4894-bea8-71c3054c190d/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6949a44e1f457957572375a6
Tags:
n/a
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Suspicious
Labled as:
HEUR/Pumpar.Generic
Link:
https://www.hybrid-analysis.com/sample/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4
Verdict:
Clean
File Type:
zip
Link:
https://opentip.kaspersky.com/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4/results?tab=lookup
Score:
9%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4
Verdict:
Malware
YARA:
3 match(es)
Tags:
.Net CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PDB Path PE (Portable Executable) PE File Layout Zip Archive Zip Bomb
Link:
https://app.malva.re/file/12d1b84ed1d5440a3a713482726f32cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4/
Threat name:
Archive.Trojan.Pumpar
Create hunting rule
Status:
Malicious
First seen:
2025-12-22 20:04:17 UTC
File Type:
Binary (Archive)
Extracted files:
125
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kb4hqev2glrwwu3iwxhtxqt63zrwlajsvl674lq7oboqujhif32a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size
Rule name:weird_zip_high_compression_ratio
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:https://twitter.com/Cryptolaemus1/status/1633099154623803394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

zip 50787812ba32e36b5368b5cf3bc27ede63658132aafdfe2e1f705d0a24e82ef4

(this sample)

Executable exe f9c11409aeda4da9d5b73afb5d7f61af703f04c73f24604a8434049087b33fe0

  
Dropping
SHA256 f9c11409aeda4da9d5b73afb5d7f61af703f04c73f24604a8434049087b33fe0
  
Dropping
MD5 965a5a3852e8722225b0d225e183533b

Comments