MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540
SHA3-384 hash: 5d44381989c69a81e9ae4c861a41dec71b2b5998d5141e79ce6e8335a4996394b6892bdb7429645f5442a42bdd1f8641
SHA1 hash: a36301910eb0d11c415aa0896e8ca5aa7000aa6f
MD5 hash: 18620f2006df97c2f49b59074c957252
humanhash: jupiter-delaware-johnny-wyoming
File name:09052026_1606_TINB.docx.lnk.tar
Download: download sample
File size:654'417 bytes
First seen:2026-05-25 17:14:34 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 12288:93cVAOjj6UT5naDKk6+s7rR04bqDY001b7undDGd:9shFk6+s3R04bCI1fuid
TLSH T1A9D4D042F5E5EC31D463093D08E0C66F663CBC31ABA2E98B17A5A7A71CF52E08576707
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (directory) (10/3)
Magika tar
Reporter smica83
Tags:Plugx tar

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
File Archive Information

This file archive contains 15 file(s), sorted by their relevance:

File name:CNMNSST.exe
File size:279'240 bytes
SHA256 hash: 53086e3b557a1d21cf7f4ffc73d92c39b08872334a8cdb09dda0a06bd060cfe9
MD5 hash: adb67ffe941a706b6343f94413f6e5f2
MIME type:application/x-dosexec
File name:CNCLID.dll
File size:84'992 bytes
SHA256 hash: 81f190a98e9ecaa0ee31c1e7d5b217e324f795d94e4e74db05f879ae3e8c89c2
MD5 hash: a52925727dbbc7a754a2a0b8439c6b61
MIME type:application/x-dosexec
File name:core.xml
File size:605 bytes
SHA256 hash: 5adffb2675ae446ba80ad82932a279e3660d1df430d3602f4abc12c1869d0e11
MD5 hash: 13418619b09857b8b5c9c05598f65172
MIME type:text/xml
File name:settings.xml
File size:2'529 bytes
SHA256 hash: 1b369978a92d617965b970e16c9e3134b8f772ac4b7a561359b3dc30486c0b4a
MD5 hash: b553a99ffd248efff565394966d2dc25
MIME type:text/xml
File name:[Content_Types].xml
File size:1'432 bytes
SHA256 hash: 9c7533f224ef42ff5c9fe35198c56c332316f5ca08cc84a65071cee5ac4063c0
MD5 hash: 1be5a6c2445d9edf27ae79dde73e3b01
MIME type:text/xml
File name:document.xml
File size:3'336 bytes
SHA256 hash: a52dca7522389fc9014007db97f2ff8cedb15022e741bfb002a221d782dc0c2d
MD5 hash: c4b2e18c5019dc2a9e5145dcba53a2f2
MIME type:text/xml
File name:custom.xml
File size:526 bytes
SHA256 hash: 29015c31bfbc638e02b5d398ba5ad95b9482b7e9b1ef88c4d74f4fb39e370a27
MD5 hash: aace946fa7711d9c3045f87a288678ee
MIME type:text/xml
File name:itemProps1.xml
File size:327 bytes
SHA256 hash: 16c9a9ab07e137bbf93dbcfe36c21a778cdccdd1d2b152085354b53a2f17d1c1
MD5 hash: f1792f41535ab296539dde413d734262
MIME type:text/xml
File name:app.xml
File size:631 bytes
SHA256 hash: a59b03d44416e17f7a81b9fd56c3a882cf19c9e591e84d746f4a1d9f6ca23862
MD5 hash: e6e92b667ec5f3762fe4f82edc8e4a2c
MIME type:text/xml
File name:item1.xml
File size:258 bytes
SHA256 hash: 82e730c9f15c76ce2ae94b00f958cb98373c60a8f757d090fbcf2f3fecd40eaa
MD5 hash: 472824b1e269bb9d5cc9db9c9811945f
MIME type:text/xml
File name:theme1.xml
File size:6'436 bytes
SHA256 hash: 2157ebaa401af49c0c9b80ad88ccbad4dbe486136a0b3f4bddc77de976340c33
MD5 hash: 87a30e62ff3d74b5b11504c703c27ec5
MIME type:text/xml
File name:document.xml.rels
File size:822 bytes
SHA256 hash: 5d819996a1e83d29bd60c7662b8056e1b34c41e18782f78c57761707ec3c1d5c
MD5 hash: c94769fd998b10fe94ee6a1a08a1f1c9
MIME type:text/xml
File name:item1.xml.rels
File size:296 bytes
SHA256 hash: 80482f86e196171d66001e0e74d1900408a3aaf2463e54005d251b5f2db9a0b0
MD5 hash: 7e5e23715ab49ce56f9130d4c6534a30
MIME type:text/xml
File name:fontTable.xml
File size:2'508 bytes
SHA256 hash: f32736b1035ddb64953abc35e55d1a5f3633c8fe5644dc58a8b26b2b1f6ddaa0
MD5 hash: 3646b284fee93716be6c358b7ebad979
MIME type:text/xml
File name:styles.xml
File size:26'026 bytes
SHA256 hash: c6b15f34a52ab624286e83acc54dd762d18425fe962dd91ab17e8212b0f82a6a
MD5 hash: 6a7053bb0ceebc30c43575784ae9eece
MIME type:text/xml
Vendor Threat Intelligence
No detections
Detection(s):
MiscreantPunch.SingleXOR.EXE.64.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d006926a61012f6ace6f2d
Tags:
n/a
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540
Verdict:
Malicious
File Type:
tar
First seen:
2026-05-25T12:11:00Z UTC
Last seen:
2026-05-27T00:32:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agentb.trvi
Link:
https://opentip.kaspersky.com/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540/results?tab=lookup
Score:
4%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540
Verdict:
Malware
YARA:
2 match(es)
Tags:
Corrupted Executable Office Document PDB Path PE (Portable Executable) PE File Layout Tar Archive
Link:
https://app.malva.re/file/18620f2006df97c2f49b59074c957252
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540/
Verdict:
Malicious
Threat:
Trojan.Win32.Agentb
Link:
https://tip.neiki.dev/file/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540
Threat name:
Win32.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-05-25 09:45:36 UTC
File Type:
Binary (Archive)
Extracted files:
45
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n73iitsdzstrlzsy7jpdofg42q42rlvbdfo7krhq5632ado2mvaa._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/260525-xryershy3v/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/6ff6844e43cca715e658fa5e3714dcd439a8aea1195df544f0efb7a00dda6540

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments