MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4
SHA3-384 hash: 6e59cece2f6bb4c91ca51ec2ff43a063d645d4dd591e89540267cf43b5d28e0bc27cff93c03e9516df9a74c24f81bc90
SHA1 hash: 7d091c7b936920f68e9dfe2bd81bb9dda75374a9
MD5 hash: 7f47f38f6ea9c31257c964cbe0014cab
humanhash: foxtrot-sixteen-michigan-cardinal
File name:Loader.zip
Download: download sample
File size:15'206'430 bytes
First seen:2025-03-16 21:57:15 UTC
Last seen:2025-03-18 11:04:32 UTC
File type: zip
MIME type:application/zip
ssdeep 393216:ri83ViDs0qNLJ25rLYPpyMbVYv2Mfu73AcR7cg:rdinq2GRhVYvS3A07
TLSH T110E633B7547DA2ABB5BF9C75FCD34FCD2E54A8708313486C4088282A29D3ED9F632591
TrID 37.5% (.KMZ) Google Earth saved working session (6000/1/1)
37.5% (.WMZ) Windows Media Player skin (6000/1/1)
25.0% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter tcains1
Tags:zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
US US
File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:Qt5Concurrent.dll
File size:131'432 bytes
SHA256 hash: d4a01961fff02cc38ab906d3bffaeb49db893edc624f840e06d07985086db29f
MD5 hash: 31955f92dd3ca70cab821b6199018ebf
MIME type:application/x-dosexec
File name:Installer.exe
File size:31'824'386 bytes
SHA256 hash: 6d5697e1a1419dd6fcfef13b4d998b5e0dcbd7b9e50663b8b9c74013bd84693b
MD5 hash: f7c8c6f92a5a6e0419cc389ecdbf0dbf
MIME type:application/x-dosexec
File name:Qt5Core.dll
File size:6'288'744 bytes
SHA256 hash: b72018655360463896edbd86b120be6dfa7235ae8a0aaa728165cb496573acb9
MD5 hash: c49ac6ad9630be526b2f9c3a9f094b53
MIME type:application/x-dosexec
File name:_RDATA
File size:512 bytes
SHA256 hash: c16711c4d56d2c81d29ec88b245627314ea22b6d146236879a998c46aeb09106
MD5 hash: acccfa93dd93a5fd672a2c0b279304a8
MIME type:application/octet-stream
File name:Manual.txt
File size:116 bytes
SHA256 hash: 8388195487057440f4653bcecb0db0c2b799e1236dbc4e38ce04d11e46a47775
MD5 hash: c9dcd7f0ebd9339d2660eb55346b5e53
MIME type:text/plain
File name:2
File size:381 bytes
SHA256 hash: 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash: 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:text/xml
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d759dd3962f1a6f4721c11
Tags:
n/a
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4
Score:
92%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngmxewhsf6n5ejd6j3ttpwuil4kazahmtuz3lzv4vro4545vahsa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202409_html_FedEx_phish
Create hunting rule
Author:abuse.ch
Description:Detects potential HTML FedEx phishing forms
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 69997258f22f9bd2247e4ee737da885f140c80ec9d33b5e6bcac5dcef3b501e4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3480001/
  
URLhaus
https://urlhaus.abuse.ch/url/3480002/

Comments