MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c88a492f753cb10db03eef496e24f04ea3170fe96fd439368a3769b75e66a0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 31 File information Comments

SHA256 hash: 6c88a492f753cb10db03eef496e24f04ea3170fe96fd439368a3769b75e66a0b
SHA3-384 hash: 0799ee6876ae425634eea451e9cc8312da2acacaef380e0452442b5eceff703686efae994952ef42796ce5f5301a9505
SHA1 hash: f28bddd5142882bf46b54bf45be221ac69686f70
MD5 hash: 1e8a35bec88d2c936f0b9af96ef8700d
humanhash: pasta-yellow-video-steak
File name:Invoice-Vertex.zip
Download: download sample
File size:10'360'541 bytes
First seen:2026-05-28 10:43:52 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:Pc54v4Yoopaq0EOsPe2Brds4m2ZvU75T+LvaKuSxo3ZdQL6VDuLhOeKzRD8XvLQ:PVvyopismurxmYU75avUSxcZdS6wLArz
TLSH T1B6A63366DD07B9258CEB3AD397874211ECDA916606635A773CC2A3C9840D9F0E067F3B
Magika zip
Reporter JAMESWT_WT
Tags:Spam-ITA Vertex-Global-Solutions vhd-extracted-rezipped zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
60
Origin country :
IT IT
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:netutils.dll
File size:139'024 bytes
SHA256 hash: 097d580b48397feb458bed57eceeaf89b6e0deff578f7e2a1320aeda8c98e8bb
MD5 hash: f92af47aef5e48867dd2d166cd77b5c5
MIME type:application/x-dosexec
File name:file.dll
File size:63'336 bytes
SHA256 hash: 71e1eb4a3027cf348d71bfdfebf0ede76d05d521293250d627417f7c2d9478d8
MD5 hash: 66357244372212540a2863475c77a579
MIME type:application/x-dosexec
File name:Document.pdf.exe
File size:20'292'984 bytes
SHA256 hash: 719f689b34f47be8ca105ce8484948474dafde0e106bab599e4a89326070c3d0
MD5 hash: 79435213ab241b13a9d8da354c088868
MIME type:application/x-dosexec
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Tags:
injection obfusc virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm expired-cert microsoft_visual_cc signed
Verdict:
Malicious
File Type:
zip
First seen:
2026-05-28T08:54:00Z UTC
Last seen:
2026-05-28T09:36:00Z UTC
Hits:
~10
Gathering data
Threat name:
Win32.Trojan.Suschil
Status:
Malicious
First seen:
2026-05-28 10:44:51 UTC
File Type:
Binary (Archive)
Extracted files:
58
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Drops file in System32 directory
Downloads MZ/PE file
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:certum_issuer
Author:Certum
Description:Looks for files signed with certificate issued by Certum
Rule name:Check_OutputDebugStringA_iat
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_all_IPv6_variants
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:detect_certum_issuer
Author:Certum
Description:Looks for files signed with certificate issued by Certum
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:reverse_http
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:telebot_framework
Author:vietdx.mb
Rule name:test_Malaysia
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:without_attachments
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments