MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b570834a38ff9d5e085dc48700332e536635d23e7cfb9b93fe65be1ffb85e0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash: b570834a38ff9d5e085dc48700332e536635d23e7cfb9b93fe65be1ffb85e0f7
SHA3-384 hash: c3d2f3ced37810295b9d0d4884536e0cfbc8c545ae8141a9c4835f42a5e86224d6a8535d5f7db8a55b1281455797465f
SHA1 hash: b78861c648a71e4639071d70397ee9365414435e
MD5 hash: d9b3d1df47a4544ecc605f60b30d6060
humanhash: arizona-hamper-december-georgia
File name:WealthGAF_CRM_API_Documentation.zip
Download: download sample
File size:2'253 bytes
First seen:2026-07-03 19:52:05 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 48:9oxKCip9v8QkeovLchXTWARl7p5NUZv63QXHHjLuGmA3N:6xKCKZ8NXqWE/tcHH13N
TLSH T13A41298996D42068EAEB9370B93A4E81CA7332F4F636F00432482CC16AAE14D065FA5D
Magika zip
Reporter smica83
Tags:zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
98
Origin country :
HU HU
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:WealthGAF_CRM_API_Credentials.pdf.lnk
File size:2'936 bytes
SHA256 hash: d3360060e7ceea72b77eac2cb6c08965636ed6acb841b8450269db05b8e045c2
MD5 hash: 9b52219441135cd26f7c05a125ad181d
MIME type:application/octet-stream
File name:WealthGAF_CRM_API_Documentation.pdf.lnk
File size:2'948 bytes
SHA256 hash: ceb5922448414f746bf7eb81d730467dbf935541c8dd4c8ae16917995538ed5c
MD5 hash: a9b2e0183ace86f95261b93a82b0d616
MIME type:application/octet-stream
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
conhost evasive masquerade
Verdict:
Malicious
File Type:
zip
First seen:
2026-07-03T14:45:00Z UTC
Last seen:
2026-07-03T15:04:00Z UTC
Hits:
~10
Verdict:
Malware
YARA:
3 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:conhost.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002 Zip Archive
Threat name:
Win32.Trojan.Sonbokli
Status:
Malicious
First seen:
2026-07-03 19:52:35 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:PDF_in_LNK
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments