MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emmenhtal


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138
SHA3-384 hash: d3248ddea3b4057174ac3d273c206a57c729a11e188a451bd6397a895de882dc000628ff36f359d1f669dd91cbf15890
SHA1 hash: 748c263f301c915d49e8ba702a567cb0c794dbd9
MD5 hash: cece33a0329eb7bf5ec5379a638f869a
humanhash: purple-emma-asparagus-fifteen
File name:SecuriteInfo.com.JS.Packed.138.1397.17789
Download: download sample
Signature Emmenhtal
Create hunting rule
File size:17'885'954 bytes
First seen:2025-06-28 16:32:02 UTC
Last seen:2025-06-28 17:35:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 612ed09aad1b681b8cbeb72e4bdb3673 (5 x Emmenhtal)
ssdeep 196608:GWERS60tez1XS8ThWERS60tez1XS8TaWERS60tez1XS8THWERS60tez1XS8TBWEJ:s0B0X0B0o0B0J0B030B0
Threatray 1 similar samples on MalwareBazaar
TLSH T1B307D713F74E6372F4BE627405CB3728922DE7742BE602E7355407A859A07C92AF217B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e43a6a71b0e8e871 (5 x Emmenhtal, 1 x CoinMiner)
Reporter SecuriteInfoCom
Tags:Emmenhtal exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
584
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Report Form.lnk
Verdict:
Malicious activity
Analysis date:
2025-06-28 15:15:58 UTC
Tags:
emmenhtal
Link:
https://app.any.run/tasks/07729f65-afc5-4dc2-aa13-bcea93e17f2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11490/
Detection(s):
SecuriteInfo.com.JS.Packed.138.1397.17789.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.FakeCaptcha-Downloader.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68601a1f37c343677946a7f4
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable Html PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/cece33a0329eb7bf5ec5379a638f869a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-28 14:53:43 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2uhmvw3sc3fpqpuqc2wxll4qqznjkslguo2laj45zubr6tcie4a._file
Verdict:
malicious
Label(s):
emmenhtal
Create hunting rule
Similar samples:
2d13c5ef77f734a93a86e11e1287c5bbaa2321c39fdcfd5899a164c1b8cad307
Emmenhtal
error
Emmenhtal
Result
Malware family:
emmenhtal
Create hunting rule
Score:
  10/10
Tags:
family:emmenhtal discovery
Link:
https://tria.ge/reports/250628-t4bjzsxxcv/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dccbbbcb-66e4-402c-a828-7bda83d3a411
Unpacked files
SH256 hash:
96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138
MD5 hash:
cece33a0329eb7bf5ec5379a638f869a
SHA1 hash:
748c263f301c915d49e8ba702a567cb0c794dbd9
Detections:
Emmenhtal
Create hunting rule
Link:
https://www.unpac.me/results/0b46a723-f765-4316-a987-4538c06b84ce/
SH256 hash:
9673a83ef105864999fa654579aced8d9e05fd02f1fc82fc21e2df295cf940ba
MD5 hash:
f4c9ce4c688180ee40a154a661cde6f0
SHA1 hash:
516faf7d4a3074c2c4d9c6231de36225818097a8
Link:
https://www.unpac.me/results/0b46a723-f765-4316-a987-4538c06b84ce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Emmenhtal

Executable exe 96a87656db90b657c1f480b56bad7c8432d4aa4b351da5813cee6818fa624138

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3571066/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11490/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationapi-ms-win-security-base-l1-1-0.dll::AllocateAndInitializeSid
api-ms-win-security-base-l1-1-0.dll::CopySid
api-ms-win-security-base-l1-1-0.dll::FreeSid
api-ms-win-security-base-l1-1-0.dll::GetLengthSid
api-ms-win-security-base-l1-1-0.dll::GetTokenInformation
api-ms-win-security-base-l1-1-0.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsapi-ms-win-core-com-l1-1-0.dll::CoCreateInstance
api-ms-win-core-com-l1-1-0.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIapi-ms-win-security-base-l1-1-0.dll::AccessCheck
api-ms-win-security-base-l1-1-0.dll::AddAccessAllowedAce
api-ms-win-security-base-l1-1-0.dll::AddAce
api-ms-win-security-base-l1-1-0.dll::DuplicateToken
api-ms-win-security-base-l1-1-0.dll::GetAclInformation
api-ms-win-security-base-l1-1-0.dll::GetSecurityDescriptorControl
WIN32_PROCESS_APICan Create Process and Threadsapi-ms-win-core-processthreads-l1-1-0.dll::CreateProcessW
api-ms-win-core-processthreads-l1-1-0.dll::OpenProcessToken
api-ms-win-core-processthreads-l1-1-1.dll::OpenProcess
api-ms-win-core-synch-l1-1-0.dll::OpenSemaphoreW
api-ms-win-core-handle-l1-1-0.dll::CloseHandle
api-ms-win-core-processthreads-l1-1-0.dll::CreateThread
api-ms-win-core-threadpool-l1-2-0.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIapi-ms-win-core-processthreads-l1-1-0.dll::TerminateProcess
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExW
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExA
api-ms-win-core-sysinfo-l1-1-0.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Filesapi-ms-win-core-file-l2-1-2.dll::CopyFileW
api-ms-win-core-file-l1-1-0.dll::CreateFileW
api-ms-win-core-file-l1-1-0.dll::DeleteFileW
api-ms-win-core-sysinfo-l1-1-0.dll::GetSystemDirectoryW
api-ms-win-core-file-l1-1-0.dll::GetFileAttributesW
api-ms-win-core-file-l1-1-0.dll::FindFirstFileW
WIN_CRYPT_APIUses Windows Crypt APIapi-ms-win-security-cryptoapi-l1-1-0.dll::CryptAcquireContextW
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptCreateHash
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptDecrypt
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptEncrypt
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptExportKey
api-ms-win-security-cryptoapi-l1-1-0.dll::CryptGenKey
WIN_REG_APICan Manipulate Windows Registryapi-ms-win-core-registry-l1-1-0.dll::RegCreateKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegGetValueW
api-ms-win-core-registry-l1-1-0.dll::RegOpenKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegQueryInfoKeyW
api-ms-win-core-registry-l1-1-0.dll::RegQueryValueExW
api-ms-win-core-registry-l1-1-0.dll::RegSetValueExW

Comments