MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emmenhtal


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83
SHA3-384 hash: 2ff0cea227fa59d50e1f59a95cd2d7ef407aef5570ebdde5c0484a7af8be0de0fe4f08e3a653cf5f75159009eafeaf73
SHA1 hash: c3eae6a13187fd1733c4da5ca6ebf7678250f422
MD5 hash: edf5c9e85c308a0c5a0293d51aa1dcc3
humanhash: five-grey-berlin-sink
File name:SecuriteInfo.com.JS.Packed.138.27660.22924
Download: download sample
Signature Emmenhtal
Create hunting rule
File size:17'894'738 bytes
First seen:2025-07-12 18:23:19 UTC
Last seen:2025-07-12 19:29:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 612ed09aad1b681b8cbeb72e4bdb3673 (5 x Emmenhtal)
ssdeep 196608:kDEBSWl7vFoepcOQADEBSWl7vFoepcOQxDEBSWl7vFoepcOQ2DEBSWl7vFoepcOk:zArhvArhoArhdArhIArh
Threatray 2 similar samples on MalwareBazaar
TLSH T1E007C813B7485231E5AD2274158A13686E69EBB47F7F02D7190E13AE49A43C50FF3CBA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e43a6a71b0e8e871 (5 x Emmenhtal, 1 x CoinMiner)
Reporter SecuriteInfoCom
Tags:Emmenhtal exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
15
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Report Form.lnk
Verdict:
Malicious activity
Analysis date:
2025-07-12 07:25:02 UTC
Tags:
python auto generic
Link:
https://app.any.run/tasks/4967f639-662a-4e50-965b-b6b8f5a4ddb2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14009/
Detection(s):
SecuriteInfo.com.JS.Packed.138.27660.22924.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.FakeCaptcha-Downloader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6872a828c9eb974737689c32
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 crypto fingerprint microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/6872a867425a30d7acd7c811/reports/122f66b5-4b35-4de5-bcb9-5b223fcb7c87/overview
Verdict:
Suspicious
Labled as:
Troj/DwnLd
Link:
https://www.hybrid-analysis.com/sample/5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83/
Verdict:
Malicious
Threat:
Win32.Ransomware.Heuristic
Link:
https://tip.neiki.dev/file/5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83
Threat name:
Win32.Dropper.Lumma
Create hunting rule
Status:
Malicious
First seen:
2025-07-12 13:37:56 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
10 of 24 (41.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvykyeryuagutpefc7ovirghonute524s2r2h4wq43gpkxw3z2bq._file
Verdict:
malicious
Label(s):
emmenhtal
Create hunting rule
Similar samples:
2d13c5ef77f734a93a86e11e1287c5bbaa2321c39fdcfd5899a164c1b8cad307
Emmenhtal
96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138
Emmenhtal
error
Emmenhtal
Result
Malware family:
emmenhtal
Create hunting rule
Score:
  10/10
Tags:
family:emmenhtal discovery
Link:
https://tria.ge/reports/250712-w1tbqsgr4x/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d92129b-d402-4f89-9a67-d0360e25c0b6
Unpacked files
SH256 hash:
5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83
MD5 hash:
edf5c9e85c308a0c5a0293d51aa1dcc3
SHA1 hash:
c3eae6a13187fd1733c4da5ca6ebf7678250f422
Detections:
Emmenhtal
Create hunting rule
Link:
https://www.unpac.me/results/6e26414a-952b-4c6d-bdb3-597248280962/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Emmenhtal

Executable exe 5570ac1238a00d49bc8517dd5444c7736932775c96a3a3f2d0e6ccf55edbce83

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3582044/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/14009/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationapi-ms-win-security-base-l1-1-0.dll::AllocateAndInitializeSid
api-ms-win-security-base-l1-1-0.dll::CopySid
api-ms-win-security-base-l1-1-0.dll::FreeSid
api-ms-win-security-base-l1-1-0.dll::GetLengthSid
api-ms-win-security-base-l1-1-0.dll::GetTokenInformation
api-ms-win-security-base-l1-1-0.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsapi-ms-win-core-com-l1-1-0.dll::CoCreateInstance
api-ms-win-core-com-l1-1-0.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIapi-ms-win-security-base-l1-1-0.dll::AccessCheck
api-ms-win-security-base-l1-1-0.dll::AddAccessAllowedAce
api-ms-win-security-base-l1-1-0.dll::AddAce
api-ms-win-security-base-l1-1-0.dll::DuplicateToken
api-ms-win-security-base-l1-1-0.dll::GetAclInformation
api-ms-win-security-base-l1-1-0.dll::GetSecurityDescriptorControl
WIN32_PROCESS_APICan Create Process and Threadsapi-ms-win-core-processthreads-l1-1-0.dll::CreateProcessW
api-ms-win-core-processthreads-l1-1-0.dll::OpenProcessToken
api-ms-win-core-processthreads-l1-1-1.dll::OpenProcess
api-ms-win-core-synch-l1-1-0.dll::OpenSemaphoreW
api-ms-win-core-handle-l1-1-0.dll::CloseHandle
api-ms-win-core-processthreads-l1-1-0.dll::CreateThread
api-ms-win-core-threadpool-l1-2-0.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIapi-ms-win-core-processthreads-l1-1-0.dll::TerminateProcess
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExW
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExA
api-ms-win-core-sysinfo-l1-1-0.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Filesapi-ms-win-core-file-l2-1-2.dll::CopyFileW
api-ms-win-core-file-l1-1-0.dll::CreateFileW
api-ms-win-core-file-l1-1-0.dll::DeleteFileW
api-ms-win-core-sysinfo-l1-1-0.dll::GetSystemDirectoryW
api-ms-win-core-file-l1-1-0.dll::GetFileAttributesW
api-ms-win-core-file-l1-1-0.dll::FindFirstFileW
WIN_CRYPT_APIUses Windows Crypt APIapi-ms-win-security-cryptoapi-l1-1-0.dll::CryptAcquireContextW
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptCreateHash
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptDecrypt
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptEncrypt
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptExportKey
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptGenKey
WIN_REG_APICan Manipulate Windows Registryapi-ms-win-core-registry-l1-1-0.dll::RegCreateKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegGetValueW
api-ms-win-core-registry-l1-1-0.dll::RegOpenKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegQueryInfoKeyW
api-ms-win-core-registry-l1-1-0.dll::RegQueryValueExW
api-ms-win-core-registry-l1-1-0.dll::RegSetValueExW

Comments