MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 10 File information Comments

SHA256 hash:	731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88
SHA3-384 hash:	df4966bfd8459da4bf8e888e2786b80d37fb86a702118433cdda63410e494ab5c9927780564d60e5852146749ec79c87
SHA1 hash:	f31a1801b691de7249a58f0c0de30ea2ec078f43
MD5 hash:	f603a80888ecdddcad8bc9c293a00345
humanhash:	oven-comet-quiet-magnesium
File name:	Document_45.zip
Download:	download sample
File size:	1'075 bytes
First seen:	2023-12-08 09:27:39 UTC
Last seen:	2023-12-15 09:13:23 UTC
File type:	zip
MIME type:	application/zip
ssdeep	24:9UcrKQ25serWfN82QjqpzF7addGK3t7IT4gsGUvUcUfD:9UcULD2QjzYYdurnUscY
TLSH	T127119431E90B5A04D065F3B6F0AB60B5DC7E20F6FE002502941D11FA7451DEEE39B90B
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	zip

cocaman

Malicious email (T1566.001)
From: "Jenny Green <Jenny02@4733.com>" (likely spoofed)
Received: "from [91.185.10.218] (unknown [91.185.10.218]) "
Date: "Thu, 14 Dec 2023 18:10:54 +0600"
Subject: "Your Document #45"
Attachment: "Document_45.zip"

Intelligence

File Origin

# of uploads :

236

# of downloads :

103

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Document_45.doc.lnk
File size:	1'993 bytes
SHA256 hash:	a3a4ce9bb316c707d4d6ce57f4094c8661653bcf62ff962264646ffe036477c3
MD5 hash:	fd9d8ec98df596d3688d0caac08c3efb
MIME type:	application/octet-stream

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_doc.UNOFFICIAL

Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.26415.PshHeur.UNOFFICIAL

SecuriteInfo.com.LNK.Powershell-B.30288.6761.UNOFFICIAL

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd dropper lolbin masquerade powershell shell32

Link:

https://www.filescan.io/uploads/6572e1a33636548f3742ab97/reports/a79da92d-5d7e-43c0-ba60-c86c0d108df2/overview

Verdict:

Malicious

Labled as:

Trojan.Multi.Agent

Link:

https://www.hybrid-analysis.com/sample/731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88/

Threat name:

Shortcut.Trojan.Genautorunlnkfile

Status:

Malicious

First seen:

2023-12-08 06:37:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=omnvtmlxvtyaf3q57yayk65mowzcrbzex5pptfr6dnatpmjfz6ea._file

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/231208-lq26saad74/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Malware Config

Dropper Extraction:

http://twizt.net/spml.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/731b59b177acf002ee1dfe01857bac75b2288724bf5ef9963e1b4137b125cf88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	Execution_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies execution artefacts in shortcut (LNK) files.

Rule name:	EXE_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies executable artefacts in shortcut (LNK) files.

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_CMD Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to cmd.exe inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_SuspiciousCommands Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects LNK file with suspicious content

Rule name:	SUSP_ZIP_LNK_PhishAttachment Create hunting rule
Author:	ignacior
Description:	Detects suspicius tiny ZIP files with malicious lnk files
Reference:	Internal Research

Rule name:	SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious tiny ZIP files with phishing attachment characteristics
Reference:	Internal Research