MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a
SHA3-384 hash: 16c977404f4cd7dbdc59d7ea605efca7143f44cae8d3ebf8909078aaf2f463f0e3e89dd0105d7aeea54acb8ce2fcdf0a
SHA1 hash: 4c57a3faae0343ac5fca2b3d2caeebd09965c47d
MD5 hash: df9f18c7f7935ff56c25d906e11a7dbf
humanhash: potato-crazy-lamp-mobile
File name:SOA UPDATED.zip
Download: download sample
File size:680'159 bytes
First seen:2025-08-07 10:33:20 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:G0xDbK/HvtrslHwygq2OWO3TlmOvQnhi3dcF5TBJspgkTg/Q5guOD:G2KvFsRwlXOWOxLWFCxTg/Q5gz
TLSH T145E4239CD4579AB8FE38D61104BE1E33239D864D7E9058DA806FBF54239ACC94B726CC
Magika zip
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Accounting <accounting@stansfeldscott.com>" (likely spoofed)
Received: "from stansfeldscott.com (unknown [192.227.246.109]) "
Date: "5 Aug 2025 17:42:03 +0200"
Subject: "Account Statement Follow Up / 07-24-2025 / ANUHAL"
Attachment: "SOA UPDATED.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:SOA UPDATED.exe
File size:723'456 bytes
SHA256 hash: 569a8966063dfd542b595f0022b9e1c4fc06ae2c01cc622fc4d460bfdb287fcf
MD5 hash: 10ee4ad3d3a3f429832fc15529f28c1f
MIME type:application/x-dosexec
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3271.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.MalwareX-gen.31438582.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6892046711d7f9b979e59caa
Tags:
virus krypt
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks squirrel stego telegram vbc vbnet
Link:
https://www.filescan.io/uploads/68948112397fd3ce6fa0a170/reports/aed0e614-2f0d-4bda-9507-b834eec2740c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a/
Verdict:
Malicious
Threat:
HEUR:Trojan-PSW.MSIL.Agensla
Link:
https://tip.neiki.dev/file/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 07:35:38 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stffnlpcgxcajjgoxllpyy2q4szeomrv3giy6q6akeuwsutple5a._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250807-mnrgyafr6z/
Behaviour
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 94ca56ade235c404a4cebad6fc6350e4b2473235d9918f43c0512969526f593a

(this sample)

Executable exe 569a8966063dfd542b595f0022b9e1c4fc06ae2c01cc622fc4d460bfdb287fcf

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 569a8966063dfd542b595f0022b9e1c4fc06ae2c01cc622fc4d460bfdb287fcf
  
Dropping
MD5 10ee4ad3d3a3f429832fc15529f28c1f

Comments