MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3
SHA3-384 hash: e5366e0ac0afc1d0246c476e9605ca279aa7633d8c6c60536b97da8a6a7be791373fb491fe6bea69866bdd164c16ec5d
SHA1 hash: da5139fe3c82cc424f02e79ff7c01e2f349e3af4
MD5 hash: b364f9f833689eedec6e91b8f74fbb8e
humanhash: sad-paris-harry-north
File name:unknown-phishing.zip
Download: download sample
File size:403'607 bytes
First seen:2025-09-21 14:48:13 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:t7/VjFfo+9oB5isCnaV5hewM3kuCiK9/hBJgwbb5xWDGrV/YvZqrWQuKpLcryL:t7/ZFFOZPiK9/Ng0x+E7cryL
TLSH T1FB8423B5CA0DF37EA29938362E1CF8AC6B480681D1F714D4ABF6B49013452DE693E5F4
Magika zip
Reporter kafan_shengui
Tags:dll-hijack Parallax zip


Avatar
kafan_shengui
C&C:206.119.175.162
Black dll:https://www.virustotal.com/gui/file/3f7819debdca5df5a6cd50147b51bceba12c5e0f8a6961b1612777080496dde1/detection

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
US US
File Archive Information

This file archive contains 7 file(s), sorted by their relevance:

File name:keytool.exe
File size:19'440 bytes
SHA256 hash: 367c0bbc72b885e313f6731e98c7e4fa2d95c3cadb76e642a8492f8b12b3d9de
MD5 hash: e94e7b953e67cc7f080b83d3a1cdcb1f
MIME type:application/x-dosexec
File name:api-ms-win-crt-heap-l1-1-0.dll
File size:19'264 bytes
SHA256 hash: 0e4f6c9a1e532a37a0701bc9ac67b86d5af3d7faa1d799196c93ccbd1d32e396
MD5 hash: 97fb42ef6ad5463b0db6fb6e515e07d5
MIME type:application/x-dosexec
File name:vcruntime140.dll
File size:83'792 bytes
SHA256 hash: cdc006fc80c4437d009b8c72008a443a9ee5bce383d8b3dc16aeec0e081cfe32
MD5 hash: f4b8a73c18e65eb5af950751eb71994a
MIME type:application/x-dosexec
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
MD5 hash: bf38660a9125935658cfa3e53fdc7d65
MIME type:application/x-dosexec
File name:api-ms-win-crt-runtime-l1-1-0.dll
File size:22'848 bytes
SHA256 hash: 756f21a051c771471c790f9bedd859964c5723b92e7c9f857fedcf359389533a
MD5 hash: 614d4ee35d5e0a38394dcab2f7f3e062
MIME type:application/x-dosexec
File name:jli.dll
File size:12'288 bytes
SHA256 hash: 3f7819debdca5df5a6cd50147b51bceba12c5e0f8a6961b1612777080496dde1
MD5 hash: 3ca440a3f4800090ee691e037a9ce501
MIME type:application/x-dosexec
File name:CreateHiddenTask.vbs
File size:1'005 bytes
SHA256 hash: 190d493255c71f3cebb968c197aeef67c62d597b488c4a0b8cd77751e5999b94
MD5 hash: 6ea9555f1874d13246726579263161e8
MIME type:text/plain
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Vbs_Zip_3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a7090fca70bd90e8e7c4e
Tags:
injection obfusc crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm expired-cert microsoft_visual_cc overlay overlay signed
Link:
https://www.filescan.io/uploads/68d0103e73af424b47e9441f/reports/f307ffb0-5eb9-4dc3-93c2-4ece8e835394/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
zip
Link:
https://opentip.kaspersky.com/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3/results?tab=lookup
Score:
84%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Zip Archive
Link:
https://app.malva.re/file/b364f9f833689eedec6e91b8f74fbb8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3
Threat name:
Win32.Hacktool.Sysdupate
Create hunting rule
Status:
Malicious
First seen:
2025-09-21 14:49:39 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
12 of 24 (50.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tszgveeslrw4ttxjrpryj7bpwr4ov5jngl2oanwfnnol6h7e7pjq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9cb26a90925c6dc9cee98be384fc2fb478eaf52d32f4e036c56b5cbf1fe4fbd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments