MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33
SHA3-384 hash: 286eca4ea8a1f292cdf5c6c1ab119fdee311c2e9bfac5b6c9363a6fb5b7c98e256791f1a24b4e1cbf5eaab8b474b5ee4
SHA1 hash: ee23829669cba54d0ecb3793f3b161860cf3f236
MD5 hash: 244532721eb010c2eb9a5768749f97d0
humanhash: colorado-kansas-delta-aspen
File name:GenP_3.7.1_SOURCE-CGP.zip
Download: download sample
File size:956'236 bytes
First seen:2025-12-07 11:25:27 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:5StMjk72RCz0I/KynmcvVuPWWAkRBE0yArqtxeJ:Ita2KO0LsQWWluIlJ
TLSH T15015337278A772AAC0D84575F6DBE5C06BF3A93504ECE28E18D1A2CFF87B5902E5405C
Magika zip
Reporter juroots
Tags:zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
IL IL
File Archive Information

This file archive contains 10 file(s), sorted by their relevance:

File name:GenP-3.7.1.au3
File size:136'240 bytes
SHA256 hash: bbc204ed91c9c8321851addffc76ff335d6e562cf581ad883bc85b0e097c96b3
MD5 hash: 9fac089847b2228b01ebff6d23c712ce
MIME type:application/octet-stream
File name:run_build.bat
File size:535 bytes
SHA256 hash: e89150350b8b4d6957c180b8c044f367cdea8d0d0b71c8f59dca8f9ec99a2be5
MD5 hash: 2a1b445614f030c40fb92204611c1034
MIME type:text/x-msdos-batch
File name:wintrust.dll
File size:382'712 bytes
SHA256 hash: ecb263d1f71b514cbd3abae65bac84942355e0c2b31c3c11ba35709716caaee4
MD5 hash: 1b3bf770d4f59ca883391321a21923ae
MIME type:application/x-dosexec
File name:CYBERMANIA.URL
File size:4'362 bytes
SHA256 hash: 7fba1e8849a88298272be247c2b22ef4a50ac1bc4c83a4c02848bc131e622088
MD5 hash: f89e823b83f9edc863ae9e35ea0a5949
MIME type:application/x-wine-extension-ini
File name:upx-5.0.1-win64.zip
File size:646'087 bytes
SHA256 hash: c288989437ce70646a62799a4dcf25b4ec7ad8fbb4f93a29e25c14856659c1a4
MD5 hash: c7e44b194229b217d7e859c14714ba2f
MIME type:application/zip
File name:config.ini
File size:12'227 bytes
SHA256 hash: 49eb049a9c13f4c0a57f66cb1be275d13a5aa3b5814c25e71ddf211b3a54ba79
MD5 hash: a1c2977dbfd3343d1c2575e9967b532c
MIME type:application/x-wine-extension-ini
File name:CGP.nfo
File size:34'500 bytes
SHA256 hash: 8f34b90843cfab61d1a79b0b6fa47a2a22d41361d6afcd47f5d40bc1e1fbf7c5
MD5 hash: 7c884e9fefbd2f7162dbaec46612a0de
MIME type:text/plain
File name:build.ps1
File size:19'061 bytes
SHA256 hash: 14be137b4644140653363fa7b13ada4b66e50a57257226bd231d62aadf8364ae
MD5 hash: 3489ee25b34b46deabe8d371ee8b0d76
MIME type:text/plain
File name:patch_wintrust.ps1
File size:1'926 bytes
SHA256 hash: a73b572bbf1ddbf7d9f5a03ea5ecf9e2c296ecbefbc60104656f21644b20b2f2
MD5 hash: 4c1563eb08376a1fc0979a18c1df28fc
MIME type:text/plain
File name:build_info.txt
File size:125 bytes
SHA256 hash: 5bff34f3b20e7489574185a1f3c1263221ffb5e1bac4449d25520432678a8b42
MD5 hash: fe91d47527e7ec9024f4d263a5884de5
MIME type:text/plain
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ceca4957-f110-47cd-a1cc-7896c7f0aa25/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69356463920336450abc11cb
Tags:
autoit
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malicious Scriptlet 2 of 7
Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Verdict:
Unknown
File Type:
zip
First seen:
2025-11-03T04:41:00Z UTC
Last seen:
2025-12-06T09:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33/results?tab=lookup
Score:
31%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/244532721eb010c2eb9a5768749f97d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-03 23:32:23 UTC
File Type:
Binary (Archive)
Extracted files:
25
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qseyi5lutuhtagqdor7f6642ylmekyth2sn4kie4onb63jeblmzq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution upx
Link:
https://tria.ge/reports/251207-vrhcfadp7x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Malware Config
Dropper Extraction:
https://www.autoitscript.com/files/autoit3/autoit-v3.zip
https://www.autoitscript.com/autoit3/scite/download/SciTE4AutoIt3_Portable.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO
Create hunting rule
Author:@itsreallynick (Nick Carr)
Description:Detects possible shortcut usage for .URL persistence
Reference:https://twitter.com/ItsReallyNick/status/1176229087196696577
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 84898475749d0f301a03747e5f7b9ac2d8456267d49bc5209c7343eda4815b33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3728652/
  
Delivery method
Distributed via web download

Comments