MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f3ad7b06e19a4bd5bdb522cd41ca313b0c89c0840cdefa75639231a81e4c8bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash: 5f3ad7b06e19a4bd5bdb522cd41ca313b0c89c0840cdefa75639231a81e4c8bc
SHA3-384 hash: 05b9b738e73084d9398a88eaabfc4295f30ba0889f5eeeeade87c57e617257bfad2a09fe88759dc485d238055e13b8fe
SHA1 hash: 10caba45fa4a4b1df68998c163d89b0c921b6c6b
MD5 hash: 6015855dd2d90f8a38b7d8e7188806cf
humanhash: juliet-massachusetts-cold-five
File name:invites.zip
Download: download sample
File size:4'585 bytes
First seen:2026-06-16 11:41:50 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 96:hrSLh3f3/2brHm7gZRPsLQdGQ+NpsTL7rJKOOJTeEiFTu3Y7nDLxo+eO:oLhHorTbsuGQ7H7rJQeX72+p
TLSH T1F1916C71C1486D9EE28F82BB070F9F8BCE2EA69DD9611722064E17535E3F198A134954
Magika zip
Reporter smica83
Tags:zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:invites.lnk
File size:14'128 bytes
SHA256 hash: fdd711fd0fafac5dee98a0433005ac2a2c926687175128f69f34b29b132adf46
MD5 hash: f4f05fa58865bc7cb2bab79887f06652
MIME type:application/octet-stream
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Tags:
infosteal shell virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd evasive lolbin masquerade
Verdict:
Malicious
File Type:
zip
First seen:
2026-06-15T03:12:00Z UTC
Last seen:
2026-06-15T03:29:00Z UTC
Hits:
~10
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-14 09:08:25 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery execution persistence privilege_escalation rat revoked_codesign
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments