MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Viking


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
SHA3-384 hash: 8ff9513b0c28063cd6d6ea500e1585941737d8d51dad4bc14adbc729ccfae814c3ee3f8e7c65b6fd1fbeb412689ba71f
SHA1 hash: cb71ab8275de40a974f2ef85ef80dff990c3e986
MD5 hash: 15dcdde5c38e01174d1d20b631f69526
humanhash: cold-victor-oscar-delaware
File name:7z.exe
Download: download sample
Signature Viking
Create hunting rule
File size:591'489 bytes
First seen:2025-06-21 16:40:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 87bed5a7cba00c7e1f4015f1bdae2183 (3'034 x Jadtre, 23 x IcedID, 23 x Blackmoon)
ssdeep 6144:uh46tGdyWE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0G:uh3Nt7a3iwbihym2g7XO3LWUQfh4Co
Threatray 10 similar samples on MalwareBazaar
TLSH T120C40826F6748335D073C0B9C5D2A68AEE7130865B308ACB0286D77C6F676E6D53A731
Magika pebin
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 13 x AsyncRAT, 11 x HijackLoader)
Reporter 5KidRo0t
Tags:exe unknown Viking worm

Intelligence

File Origin
# of uploads :
1
# of downloads :
528
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7z.exe
Verdict:
Malicious activity
Analysis date:
2025-06-21 16:41:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4d2891e-d126-4341-832d-606b86abab75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10371/
Detection(s):
Win.Trojan.Philis-26
Create hunting rule

PUA.Win.Packer.UPack-2
Create hunting rule

Win.Worm.Mytob-399
Create hunting rule

PUA.Win.Packer.Upack-47
Create hunting rule

PUA.Win.Packer.Upack-36
Create hunting rule

PUA.Win.Packer.Upack-15
Create hunting rule

PUA.Win.Packer.Upack-4
Create hunting rule

PUA.Win.Packer.Upack-3
Create hunting rule

PUA.Win.Packer.Upack-41
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6856e15832ed47a3a8d672f8
Tags:
injection viking looked virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi evasive overlay packed packed packed packer_detected viking winupack zero
Link:
https://www.filescan.io/uploads/6856e1783faf8fcd7d3a01bc/reports/a6b011b8-e3d1-4654-9c8b-9449f03cc8b8/overview
Verdict:
Malicious
Labled as:
Viking.Generic
Link:
https://www.hybrid-analysis.com/sample/71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4763cace-2fa6-4ee1-8530-a53c730db46a
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1719927
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates files in the recycle bin to hide itself
Disables security and backup related services
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Windows Service Tampering
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1719927 Sample: 7z.exe Startdate: 21/06/2025 Architecture: WINDOWS Score: 100 65 Antivirus detection for dropped file 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 2 other signatures 2->71 8 7z.exe 1 5 2->8         started        process3 file4 45 C:\Windows\rundl132.exe, PE32 8->45 dropped 47 C:\Windows\Logo1_.exe, PE32 8->47 dropped 49 C:\Users\user\Desktop\7z.exe.exe, PE32+ 8->49 dropped 73 Creates an undocumented autostart registry key 8->73 75 Drops executables to the windows directory (C:\Windows) and starts them 8->75 77 Disables security and backup related services 8->77 12 Logo1_.exe 1001 8->12         started        17 cmd.exe 1 8->17         started        19 net.exe 1 8->19         started        signatures5 process6 dnsIp7 59 192.168.2.100 unknown unknown 12->59 61 192.168.2.101 unknown unknown 12->61 63 98 other IPs or domains 12->63 51 C:\Windows\Dll.dll, PE32 12->51 dropped 53 C:\Users\user\Desktop\7z.exe, PE32 12->53 dropped 55 C:\...\maintenanceservice.exe, PE32 12->55 dropped 57 33 other malicious files 12->57 dropped 79 Creates files in the recycle bin to hide itself 12->79 81 Injects code into the Windows Explorer (explorer.exe) 12->81 83 Writes to foreign memory regions 12->83 85 4 other signatures 12->85 21 net.exe 1 12->21         started        23 net.exe 1 12->23         started        25 explorer.exe 83 5 12->25 injected 27 conhost.exe 17->27         started        29 7z.exe 1 17->29         started        31 conhost.exe 19->31         started        33 net1.exe 1 19->33         started        file8 signatures9 process10 process11 35 conhost.exe 21->35         started        37 net1.exe 1 21->37         started        39 conhost.exe 23->39         started        41 net1.exe 1 23->41         started        43 notepad.exe 25->43         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/15dcdde5c38e01174d1d20b631f69526
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65/
Threat name:
Win32.Worm.Viking
Create hunting rule
Status:
Malicious
First seen:
2025-06-21 10:05:00 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogqtxjfdo5wn5cqvuvxucnu6keufmwe2ouore3vqvfwjagncbjsq._file
Verdict:
malicious
Label(s):
viking_worm
Create hunting rule
Similar samples:
02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
Viking
30f1233c3ff4700a11e179f579008b3c9e57d193dede2df2e6b6ee7addd04743
Viking
71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
Viking
a7b9bbbfc38ed7acbe22f85e74b48203a1b31255649ff7963476e95e8e9c409c
Viking
af0cad2a9b55bfb30997a004d09d88f92172f5d66c33a5c1d3189b4bc71e2537
Viking
b3df1c768289e537b2723c5766bee4dd9e30650a9808b932be2716e12a3d5aa9
Viking
error
Viking
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250621-t88qaatzhv/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Drivers directory
Verdict:
Malicious
Tags:
Win.Trojan.Philis-26
YARA:
n/a
Link:
https://app.threat.zone/submission/b8765a9e-1457-4421-af5f-bcf7f170e788
Unpacked files
SH256 hash:
71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
MD5 hash:
15dcdde5c38e01174d1d20b631f69526
SHA1 hash:
cb71ab8275de40a974f2ef85ef80dff990c3e986
Link:
https://www.unpac.me/results/47717d4d-4e38-4809-8a57-55090a8c2be4/
SH256 hash:
87a1f451f70885dcd6c4e9c745c84a2ac3ae8268d1e2e74f0490165f4a578e64
MD5 hash:
ce9691f0ef6a1a4fa465239a65e403cc
SHA1 hash:
e5364ef7eeb7666ff8ed96d2d7be3877413df1e8
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/47717d4d-4e38-4809-8a57-55090a8c2be4/
SH256 hash:
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
MD5 hash:
9a1dd1d96481d61934dcc2d568971d06
SHA1 hash:
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
Link:
https://www.unpac.me/results/47717d4d-4e38-4809-8a57-55090a8c2be4/
SH256 hash:
cb09ff94d9a9de86c93beff2fc7487c3024367bf57ac8f47e21cc0f98be7be86
MD5 hash:
b342adcd8c8466f02d24f0947a7a5778
SHA1 hash:
fd6e43111eba4b90926aca24e643177c87a1a53b
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/47717d4d-4e38-4809-8a57-55090a8c2be4/
Parent samples :
71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65
0e8863ad2062d5775d5955ab971f585674416d20e1b1570bf9b0effc8e63c3b9
1273d537c7dd3abee3fcb02e94d75f12935e1b546847ee715988bfa7de48f4ea
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71a13ba4a377/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Viking
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71a13ba4a3776cde8a15a56f41369e512856589a751d126eb0a96c9019a20a65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Upack024027beta028alphaDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv01xv02xDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv024v028AlphaDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv029Betav031BetaDwing
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/10371/

Comments