MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300
SHA3-384 hash: 55756e6a34305ed1cca65a153c538d0fec2c0bdbb2f88f6ed22c1d179168543275e928905487e0eb11ddfd395547377d
SHA1 hash: ac81c996275f0b1b08f7244eea21fe2b851aa705
MD5 hash: 8720bfc31e1848e788f3ad1175be1195
humanhash: kentucky-eighteen-missouri-nebraska
File name:No.4638.hta
Download: download sample
File size:505 bytes
First seen:2025-09-04 07:45:43 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 12:xgkG6QclfhfGvuDiOF0XDfczMJCWb/5NuF6CFMCYf:xyspeWWlzKMFBNuF6CFMCC
Threatray 5 similar samples on MalwareBazaar
TLSH T15DF0A3A12C008D642333C67625EBF12CEB03308391008841F4CD569B2FB27478ED37B5
Magika html
Reporter smica83
Tags:d32tpl7xt7175h-cloudfront-net hta Plugx vnptgroup-it-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b94a0ceb163e0ec1844a77
Tags:
n/a
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300/results/dashboard
Payload URLs
URL
File name
http://d32tpl7xt7175h.cloudfront.net/XgPK9CpZENdh'
HTA File
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300
Verdict:
Unknown
File Type:
hta
First seen:
2025-09-04T04:10:00Z UTC
Last seen:
2025-09-04T04:10:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1770942
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execution from Suspicious Folder
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770942 Sample: No.4638.hta Startdate: 04/09/2025 Architecture: WINDOWS Score: 96 39 vnptgroup.it.com 2->39 41 x1.i.lencr.org 2->41 43 4 other IPs or domains 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->57 59 4 other signatures 2->59 9 mshta.exe 18 22 2->9         started        14 cnmpaui.exe 2->14         started        16 cnmpaui.exe 2->16         started        signatures3 process4 dnsIp5 47 d32tpl7xt7175h.cloudfront.net 3.168.117.180, 443, 49713, 49714 AMAZON-02US United States 9->47 35 C:\Users\Public\cnmpaui.exe, PE32 9->35 dropped 37 C:\Users\Public\cnmpaui.dll, PE32 9->37 dropped 63 Drops PE files to the user root directory 9->63 65 Deletes itself after installation 9->65 18 cnmpaui.exe 2 4 9->18         started        23 Acrobat.exe 64 9->23         started        67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->67 69 Found evasive API chain (may stop execution after checking mutex) 14->69 71 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->71 file6 signatures7 process8 dnsIp9 45 vnptgroup.it.com 104.21.19.28, 443, 49720, 49734 CLOUDFLARENETUS United States 18->45 31 C:\Users\Public\SecurityScan\cnmpaui.exe, PE32 18->31 dropped 33 C:\Users\Public\SecurityScan\cnmpaui.dll, PE32 18->33 dropped 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->61 25 AcroCEF.exe 106 23->25         started        file10 signatures11 process12 dnsIp13 49 e8652.dscx.akamaiedge.net 23.46.224.249, 49729, 80 AKAMAI-ASUS United States 25->49 28 AcroCEF.exe 3 25->28         started        process14 dnsIp15 51 23.56.162.204, 443, 49730 AKAMAI-ASUS United States 28->51
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html Javascript in Html
Link:
https://app.malva.re/file/8720bfc31e1848e788f3ad1175be1195
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300/
Threat name:
Script-JS.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 07:54:31 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
5 of 24 (20.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjetccurslfldkqfevvwzigqygsu7yeeweb76tps2f56t372gmaa._file
Verdict:
malicious
Label(s):
doplugs
Create hunting rule
Similar samples:
548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22
dbd2ce81e6afa7817841043b2454b15fa75fc23ef6e4460c7f2842a573160d4e
error
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250904-jl9zqabr91/
Behaviour
System Location Discovery: System Language Discovery
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments