MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 17 File information Comments

SHA256 hash:	b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9
SHA3-384 hash:	4225f1dd111408044257ba8dcd594eba7d30e202e3232ffc62736f6d622af6fbbe6ed36c959c24f430cbab4543350077
SHA1 hash:	83c3cda4bc929a84ccc16a25595a1e85ee433faf
MD5 hash:	c33861eb02323660ecef2f261f92880d
humanhash:	winter-pennsylvania-victor-thirteen
File name:	NV2230_Update of Situation on Cambodia-Thailand Border.zip
Download:	download sample
File size:	2'050'059 bytes
First seen:	2025-10-05 10:36:52 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:CfdJECRsEfSEj+ZQFc3FfW+DQg5PDeWhjqs0zbGnNW8+MroN82mxgKIA1pd3LbAu:CVJlRsEfSXyFo1B6WJX1+3Bb2YDsB
TLSH	T18495F1039C048653D02957F07E175EB51F2E2E1899912AEFC2A61EA73E7C3721D1D2EE
TrID	72.4% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3) 27.5% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	smica83
Tags:	apt dorareco-net MustangPanda zip

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	NV2230_Update of Situation on Cambodia-Thailand Border\NV2230_Update of Situation on Cambodia-Thailand Border.lnk
File size:	3'062 bytes
SHA256 hash:	8635dcc2001514febc6a07714b8cf6a3684b4c4c3b8fc0e08b2f6b92a045e3cc
MD5 hash:	bb74ca3517e51030867ced3a8ceb149d
MIME type:	application/octet-stream

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

Gathering data

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive masquerade powershell

Link:

https://www.filescan.io/uploads/68e24a6ff377ab2310522bfa/reports/8b7e55f3-7aa1-4805-b228-e6413cae6364/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

zip

First seen:

2025-10-05T11:19:00Z UTC

Last seen:

2025-10-06T06:57:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9/results?tab=lookup

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

LNK Zip Archive

Link:

https://app.malva.re/file/c33861eb02323660ecef2f261f92880d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9/

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-10-05 10:37:34 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

9 of 37 (24.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wfnmx6cqt3uqqwfb2yhoupcqbffr4kylmxefs3df7smy5g3kbcuq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

execution

Link:

https://tria.ge/reports/251005-mx4hvstsfz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/b15acbf8509ee90858a1d60eea3c50094b1e2b0b65c8596c65fc998e9b6a08a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	EXT_EXPL_ZTH_LNK_EXPLOIT_A Create hunting rule
Author:	Peter Girnus
Description:	This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:	https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PDF_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample