MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emmenhtal


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6
SHA3-384 hash: 61fdb6c760c43f2dc0403024a3ecf154645feb9ed656a238f51fb7256ac9579da65d5d732a5bc16befbe34e1be721750
SHA1 hash: 81f11fe1b4cc2f19a11a126e400cde512e81d60b
MD5 hash: e37531c134adb48616002e5178ad12ec
humanhash: october-muppet-equal-blue
File name:SecuriteInfo.com.JS.Packed.138.13144.11570
Download: download sample
Signature Emmenhtal
Create hunting rule
File size:1'608'581 bytes
First seen:2025-07-05 15:49:23 UTC
Last seen:2025-07-05 16:36:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 867a1d122110fa3520a2ad77ab7a12fa (2 x Emmenhtal)
ssdeep 24576:ZIhirDE3tY1IhirDE3tY8IhirDE3tYLIhirDE3tY8IhirDE3tY:ZIhbq1Ihbq8IhbqLIhbq8Ihbq
TLSH T115754B21654908B6DC7EA270E8CDB6E411AEA8734F0415F35270B7BD68752F27C3B68E
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon c0a692c9adb68e98 (2 x Emmenhtal)
Reporter SecuriteInfoCom
Tags:Emmenhtal exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
21
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6
Verdict:
No threats detected
Analysis date:
2025-07-05 16:03:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/476fa8f4-583a-402a-9d58-f1a3c544c0c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12459/
Detection(s):
ditekSHen.MALWARE.Win.Trojan.FakeCaptcha-Downloader.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686949c6900df8e7f86730de
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint lumma microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/686949db9db85bde254c08da/reports/4bbee5c0-ba83-4caa-ba17-3aa3a6507c63/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6
Malware family:
MustardSandwich
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f502922-35e7-4733-9bed-f6e82ad77bee
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable Html PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/e37531c134adb48616002e5178ad12ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6/
Threat name:
Win32.Dropper.Lumma
Create hunting rule
Status:
Malicious
First seen:
2025-07-05 08:44:34 UTC
File Type:
PE (Exe)
Extracted files:
304
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubhr4rlalhfonujvdwc7nqthxjfn6usypx3v4c64bwkbo6oughla._file
Result
Malware family:
emmenhtal
Create hunting rule
Score:
  10/10
Tags:
family:emmenhtal discovery
Link:
https://tria.ge/reports/250705-s95jkszxf1/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/de818352-9497-4318-8814-51633c0750a0
Unpacked files
SH256 hash:
a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6
MD5 hash:
e37531c134adb48616002e5178ad12ec
SHA1 hash:
81f11fe1b4cc2f19a11a126e400cde512e81d60b
Detections:
Emmenhtal
Create hunting rule
Link:
https://www.unpac.me/results/3e498049-a51b-46c5-bf3c-6d8e586747fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Emmenhtal

Executable exe a04f1e456059cae6d1351d85f6c267ba4adf52587df75e0bdc0d941779d431d6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/12459/
  
URLhaus
https://urlhaus.abuse.ch/url/3576923/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenSemaphoreW
KERNEL32.dll::CloseHandle
MSCTF.dll::TF_CreateThreadMgr
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesSHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::ActivateKeyboardLayout
USER32.dll::EmptyClipboard
USER32.dll::FindWindowW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments