MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12
SHA3-384 hash: 2f92d0be1ec5550b34e64529929f61d3443d2b7f8aea0657d97b16afcdade510afe509799e2291e1c160a34f9d482a45
SHA1 hash: 823faf78b47ccf05d4406f590d6619c8d6aa0074
MD5 hash: e03a0e32a9c38a6776c8eb155c0d3b78
humanhash: salami-johnny-social-carolina
File name:app_permissions.md
Download: download sample
File size:11'322'067 bytes
First seen:2025-12-01 21:02:58 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:wgAU5w3RZoz6KCgZ9scORN8g/k/TH1CSgk08LEaXVAPoSObwdsh8p73qVx:wjU5whGO/csWg/q0QxWPBGwdshEYx
TLSH T1E6B6332B89EC6763FDCF34382590CA685A6C4346B24AF85A5E0F41E06DE3D785B2E41D
Magika zip
Reporter aachum
Tags:dropped-by-ACRStealer zip


Avatar
iamaachum
https://www.mediafire.com/file_premium/pek4yi0tiqjr7j9/app_permissions.md/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
ES ES
File Archive Information

This file archive contains 16 file(s), sorted by their relevance:

File name:vcruntime140_1.dll
File size:36'752 bytes
SHA256 hash: 922124ba0821aa864a0261ed88bd25f8e40f94c24d00d389e23cd9ab2bfc6ba4
MD5 hash: 4dc09ca657822c2e8160255f767597df
MIME type:application/x-dosexec
File name:_asyncio.pyd
File size:64'344 bytes
SHA256 hash: 1741eaaa4ae835babf4d50f200d8577cfa5a4ad6aa40ccc3ea7021afb6327236
MD5 hash: 71fcb8e679d711f788dddf8388a81ee3
MIME type:application/x-dosexec
File name:_ctypes.pyd
File size:121'176 bytes
SHA256 hash: 64e8398b7e66acfd1c1fd4c6b330d736ac65a863eec719546d500d2f721c8c26
MD5 hash: 08a6a4e66c685772c43405a58123c888
MIME type:application/x-dosexec
File name:_queue.pyd
File size:31'576 bytes
SHA256 hash: 9d5aff449f30570bef662f142539dc13b1bdb3490328f2c526f8bbc0884d0238
MD5 hash: 557f0026a5bf709863933d009de8dbe5
MIME type:application/x-dosexec
File name:_hashlib.pyd
File size:55'128 bytes
SHA256 hash: ef05bb2789d7a0fc0c2c4a438836a59aacbd92da54adc4907532244ad8d0b03e
MD5 hash: 1663885a8fa56c205ecaf1ba8f7ed1e7
MIME type:application/x-dosexec
File name:libffi-8.dll
File size:35'088 bytes
SHA256 hash: b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
MD5 hash: 74d2b5e0120a6faae57042a9894c4430
MIME type:application/x-dosexec
File name:python3.dll
File size:72'024 bytes
SHA256 hash: 3a131e50065f8b218babb06006c975d67e22246a4eaf351fdf55ab1346d87538
MD5 hash: 3827543d870a79d0b5048a1ee99000fd
MIME type:application/x-dosexec
File name:FNPLicensingService.exe
File size:102'744 bytes
SHA256 hash: 9ebc50d92e1143aec5aaa616361fe055151bc15410b08bc4919ff5531fe1a5c3
MD5 hash: 7a80cc7ac87472b2047a9dcf53b90f23
MIME type:application/x-dosexec
File name:_multiprocessing.pyd
File size:32'600 bytes
SHA256 hash: b21c9d85b3c62399e3b594099c706940a689686776dd6d25d849239fe05ba2f7
MD5 hash: 255d3dd2415f3269208f9766c9c269cd
MIME type:application/x-dosexec
File name:vcruntime140.dll
File size:90'192 bytes
SHA256 hash: bf33857f46e56ea7930c1eea25c5f7175a6aaa3df36bf8301a785e6ca726a0b9
MD5 hash: c33386a6e67be415a24d9c431ffd42ac
MIME type:application/x-dosexec
File name:_overlapped.pyd
File size:46'936 bytes
SHA256 hash: c3444ab68fd78c31125ff9e1004d17ed8c741d16edcee0a1124a7e5e924ced4a
MD5 hash: b394e60a849f9f2f7ab8e10c326e717b
MIME type:application/x-dosexec
File name:select.pyd
File size:30'040 bytes
SHA256 hash: 29795c569683aa2892fc7205c47734e79f22a655da1e582a7b26f4147320f0fd
MD5 hash: 838adb85ac2c069650a8f64ba5fbe90c
MIME type:application/x-dosexec
File name:python313.dll
File size:5'495'640 bytes
SHA256 hash: e3c1b4d2033071e4835bf4d13b5da21d3d11b097124983eb4d71b2ec399dbca4
MD5 hash: 327e5636c2d246686306c67004c9bd56
MIME type:application/x-dosexec
File name:python313._pth
File size:80 bytes
SHA256 hash: 35ddf94682ff9aa713a8d63557242ad00f3f28fdd39337f02c3bda4c0f791577
MD5 hash: c23ad35e55e5b1a71ee2e9dd97723749
MIME type:text/x-objective-c
File name:python313.zip
File size:3'785'301 bytes
SHA256 hash: ccd3cd6a5c8f12f9e81d94b9896700dba58cc90d103e81f698400db4fdcc5b0b
MD5 hash: 49b0e499729896241e78502443594733
MIME type:application/zip
File name:app_permissions
File size:6'632'077 bytes
SHA256 hash: 2d564e34ff976890f1eb05733d5b85d285c0e8070866c04eeb2fa5cbba0e1a0d
MD5 hash: 6ca7b76554dd29e457e1314da240bc99
MIME type:text/plain
Vendor Threat Intelligence
Details
No details
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692e029d16e6db515e45ad27
Tags:
infosteal
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
zip
Link:
https://opentip.kaspersky.com/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12/results?tab=lookup
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/e03a0e32a9c38a6776c8eb155c0d3b78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpqrfbzf5555d6c2kxeqxk5ilvlxk6cwmrijmywcft6646hzj4ja._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_decoding
Create hunting rule
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 34ed17fe14acc3ecfcecac30d377886853b9e4d6a3ed51f8e7990e474c686cb8

zip abe1128725ef7bd1f85a55c90baba85d5775785664509662c22cfdee78f94f12

(this sample)

  
Dropped by
SHA256 34ed17fe14acc3ecfcecac30d377886853b9e4d6a3ed51f8e7990e474c686cb8
  
Delivery method
Distributed via web download
  
Dropped by
MD5 27c05bab6efe6d54498a3248d0736983
  
URLhaus
https://urlhaus.abuse.ch/url/3724207/

Comments