MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64321bf372a6177ff923583cc267e76ae88ba291add9daa3979b50c9c407cd5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash: 64321bf372a6177ff923583cc267e76ae88ba291add9daa3979b50c9c407cd5d
SHA3-384 hash: e180086334d5c8922b14adb764b4fa316141c3dda040f4fefb4bba38ecd2b3b081a75dbad6ed4d7c7fb24c89d1391826
SHA1 hash: da28da436a0f025a455dc6492088021a0ebe39f8
MD5 hash: 23d58044a167ad3558b87b350bab46b7
humanhash: alanine-music-high-single
File name:messagebox.exe
Download: download sample
File size:75'776 bytes
First seen:2025-05-24 09:32:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8765abde0438959f6841de8d92cf8900
ssdeep 1536:ALhLkG61ph+0CqHW7UumpEJevLzy3XDHzFUEaJEssWgHfcdPgTu5cH:AVL6PfCqTpEJevLzy3XDeE2PgTu5cH
TLSH T13B736B47B5E29471E8771D321870D9B09A2FF8215F61ED6B3789523A0F302C19E36E6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter skocherhan
Tags:exe EXOPLT


Avatar
skocherhan
https://github.com/EXOPLT/test/raw/refs/heads/main/messagebox.exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
474
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
test-main.zip
Verdict:
Suspicious activity
Analysis date:
2025-04-13 16:09:31 UTC
Tags:
arch-exec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
microsoft_visual_cc
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1698385 Sample: messagebox.exe Startdate: 24/05/2025 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 messagebox.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
64321bf372a6177ff923583cc267e76ae88ba291add9daa3979b50c9c407cd5d
MD5 hash:
23d58044a167ad3558b87b350bab46b7
SHA1 hash:
da28da436a0f025a455dc6492088021a0ebe39f8
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information


The table below shows additional information about this malware sample such as delivery method and external references.

2c60d74dc011b8cb1dcf49198dca9640

Executable exe 64321bf372a6177ff923583cc267e76ae88ba291add9daa3979b50c9c407cd5d

(this sample)

  
Dropped by
MD5 2c60d74dc011b8cb1dcf49198dca9640
  
Dropped by
MD5 102ba4282b6622f37057b0932364bc68

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments