MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 9 File information Comments

SHA256 hash:	a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74
SHA3-384 hash:	37cd4b20609b0deae4db412ab9367bf4366e886e8f6773e86bf42d767a4920dd3b56b29182d8cfd6000acc02a35418f4
SHA1 hash:	20ce5125a0195aba4542d4f35a634da56be4000c
MD5 hash:	5a879c90b2f8b95997f5114baad5e648
humanhash:	mobile-twelve-pizza-sad
File name:	NF-9eac306f-d134-4609-9c58yzv.iso
Download:	download sample
File size:	151'552 bytes
First seen:	2026-06-23 10:48:48 UTC
Last seen:	Never
File type:	iso
MIME type:	application/x-iso9660-image
ssdeep	3072:2jjjZz2gv7WLBXlmHA37uqQmsPDX+L1MtZ8g9XmR5an1D7JCLvlPho:gjq
TLSH	T199E3D67B6A9149C9F734C23E435F5042B792B303B62695F679AE3569C3FFBA10108638
TrID	88.5% (.NULL) null bytes (2048000/1) 11.0% (.HTP) HomeLab/BraiLab Tape image (256000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.1% (.ISO) ISO 9660 CD image (2545/36/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
Magika	iso
Reporter	FXOLabs
Tags:	iso

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	NF-9eac306f-d134-4609-9c58yzv.pdf.lnk
File size:	2'008 bytes
SHA256 hash:	06c4480b3f4d9d2b162c6cceef6b7a7fd5bb6f0f34e12d4bb63859d79690b5dd
MD5 hash:	c69c8b6dcbe56e97fbfb768b834b1c62
MIME type:	application/octet-stream

File name:	NF-9eac306f-d134-4609-9c58yzv.xml
File size:	86'933 bytes
SHA256 hash:	31847ef7a799af1fa266835d5dc86508c0015d5a3ad8ffefbb77901a3923c3bb
MD5 hash:	ca661092f31a92ca09ab27ca8d3f7489
MIME type:	text/plain

Vendor Threat Intelligence

Malware configuration found for:

Archives LNK

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e88731c0-564d-4960-8d12-548b2164296a/

Detection(s):

SecuriteInfo.com.Heur.25737.8946.UNOFFICIAL

TwinWave.EvilLNK.PkillLOLBinWrapBattle.20220620.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.MSBuildWildSituation.20240709.UNOFFICIAL

Sanesecurity.Foxhole.Iso_pdf.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLook.20220622.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3a64c286bc95245bf8de99

Tags:

virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin masquerade msbuild

Link:

https://www.filescan.io/uploads/6a3a64bd62d0679105fcf077/reports/68453647-9e1c-4340-890d-47d68b0f9cc5/overview

Verdict:

Suspicious

Link:

https://www.hybrid-analysis.com/sample/a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74

Verdict:

Clean

File Type:

iso

Link:

https://opentip.kaspersky.com/a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2026-06-23 10:49:36 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

5 of 24 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdgya6j4i6opjdkima2d5fzh7wsotcbeynp5ogv64gwlehdm7n2a._file

Result

Malware family:

n/a

Score:

8/10

Tags:

adware defense_evasion discovery execution persistence spyware

Link:

https://tria.ge/reports/260623-nzcctsct7j/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Modifies registry key

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Windows directory

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Prevents Microsoft Defender from scanning certain paths by adding an exclusion.

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a8cd80793c479cf48d4860343e9727fda4e98824c35fd71abee1acb21c6cfb74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_decoding Create hunting rule
Author:	iam-py-test
Description:	Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	iso_lnk Create hunting rule
Author:	tdawg

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	SUSP_EXE_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:	Internal Research

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_FileFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:	FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample