MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be
SHA3-384 hash:	271124b97f213ad39a9ac5a9d98a8945637f252608e02dc9002e026a6d0244d7a781c4a0fc0fc498db7de0085aca247e
SHA1 hash:	f99cf85b16f054713aedc017011803a45e3f3114
MD5 hash:	20063941491e5727cb2cbf824c656294
humanhash:	nine-connecticut-low-magnesium
File name:	ЕС-аас Хөндөж болзошгүй асуудал.zip
Download:	download sample
File size:	670'992 bytes
First seen:	2026-04-02 09:19:49 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:wdIM5CKurUbWLD596+I9sRTSnwFJqs7rR04bqDY001b7undDG0:wdIM5CK4UbWLDolYMs3R04bCI1fui0
TLSH	T1A6E4BE01FFA09135E16B167248D6B2710A3FBEB54BB089C7BB91071A4B302D5B9376F6
TrID	52.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 38.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 8.8% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	smica83
Tags:	Plugx zip

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	ЕС-аас Хөндөж болзошгүй асуудал.lnk
File size:	2'435 bytes
SHA256 hash:	ddcf3af805f277e33c0a50c757789b4bc835b97e4a065e54d97e6dd4a7b280c1
MD5 hash:	43a7078411a39ba9d798496104c448a8
MIME type:	application/octet-stream

Vendor Threat Intelligence

Gathering data

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

MiscreantPunch.SingleXOR.EXE.198.UNOFFICIAL

Gathering data

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autorun evasive masquerade powershell smb

Link:

https://www.filescan.io/uploads/69ce34cd972c219c8d75e921/reports/85164783-4df5-4ccb-bb4e-de72cec0342c/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

zip

First seen:

2026-04-02T07:49:00Z UTC

Last seen:

2026-04-02T07:56:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be/results?tab=lookup

Verdict:

Malware

YARA:

3 match(es)

Tags:

Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002 Zip Archive

Link:

https://app.malva.re/file/20063941491e5727cb2cbf824c656294

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be/

Threat name:

Win32.Trojan.Suschil

Status:

Malicious

First seen:

2026-04-02 09:20:35 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ubm5odspsck7cz55gtve37nlgo7i6wmza7no7pif6k5d6lldak7a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/260402-mzmm5agy3r/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a059d70e4f9095f167bd34ea4dfdab33be8f599907daefbd05f2ba3f2d6302be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample