MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Lazarus

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc
SHA3-384 hash:	2f1c4ba46eee47d05e8350ea404046a9def7105e7de970ffb9e48f24d75f03794fdd461e28aa5f4a2ff2c992a1b18bc0
SHA1 hash:	b365bed712582b3792096ff389e1755ff99a1f7e
MD5 hash:	fb84a392601fc19aeb7f8ce11b3a4907
humanhash:	september-stream-mississippi-king
File name:	588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc
Download:	download sample
Signature	Lazarus Create hunting rule
File size:	149'504 bytes
First seen:	2026-04-15 07:42:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6607e36e3a1b7bd285e3810e78bed30b (1 x Lazarus)
ssdeep	3072:EGcHEej7vBGV5T1jVMOOIFpzbTQgl1bFSsZ66p+73XVJr:EGcHEybBGDToOOQBIGbFRxpc
Threatray	8 similar samples on MalwareBazaar
TLSH	T140E35B4733A074F9E063DA3889928942E7B63C7907719B8F5760536A1F332D1AE3DB21
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	APT37 exe Lazarus

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Tiger

Details

Tiger

c2 urls, a mutex, tiger cipher keys, and possibly an RC4-DoubleS key

Link:

https://research.acce.ciphertechsolutions.com/results/50ca03f3-d252-4cf3-8fd9-c7751a495c5b/

Malware family:

n/a

ID:

File name:

_588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc.exe

Verdict:

Suspicious activity

Analysis date:

2026-04-15 07:45:17 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/fccbd4e7-b66b-4cc4-9e1d-1a6f0e82603b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61654/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader48.44082.14793.28750.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69df41b345787c53e539ddec

Tags:

autorun virus remo blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP POST request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

alien anti-debug anti-vm base64 cmd lolbin microsoft_visual_cc nukesped unsafe windows

Link:

https://www.filescan.io/uploads/69df41a8799d5bf325ff3377/reports/4933c010-d37a-4d92-8a31-6dcdf61660bb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc

Verdict:

Malicious

File Type:

exe x64

First seen:

2023-03-23T08:51:00Z UTC

Last seen:

2026-04-15T06:37:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win64.Alien.adf Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc/results?tab=lookup

Malware family:

Lazarus

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48631b99-83ad-4b45-a536-46d97a356e8e

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc/

Verdict:

Malicious

Threat:

Trojan-Downloader.Win64.Alien

Link:

https://tip.neiki.dev/file/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc

Threat name:

Win64.Backdoor.Tigerrat

Status:

Malicious

First seen:

2021-09-07 19:32:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lcgnxu7ogwkfexvwf6t3vmki63l2waahg76aymi2kwenzftzjlga._file

Verdict:

malicious

Label(s):

tigerdownloader

Lazarus

0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c

Lazarus

1222c6596fb088c3be1ec893d177e81ff2bcb38f00940c07c2cb9a0288544b26

Lazarus

5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c

Lazarus

f40d387631ddb0db70128e72239d0cae7a22b2135c0ec0d540e018aa727d4c8e

Lazarus

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/260415-jkjfdagz2j/

Behaviour

Enumerates physical storage devices

Drops startup file

Unpacked files

SH256 hash:

588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc

MD5 hash:

fb84a392601fc19aeb7f8ce11b3a4907

SHA1 hash:

b365bed712582b3792096ff389e1755ff99a1f7e

Link:

https://www.unpac.me/results/d5b1eb69-034d-4242-8b66-e2801fe79e07/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_NukeSped_b8e6cc07 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/61654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample