MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a
SHA3-384 hash:	f7e84d61b0dde79d3a0fa7b4c044e989ee45d02ec28f2ef28ae7204d474206f4400c75fee6ddc1009971602863ca8d64
SHA1 hash:	2989aa779d95c9e2d8cb3a65e2cb05203f0d562a
MD5 hash:	80fc64b636834e85ed58220d456cd5c5
humanhash:	magazine-oklahoma-white-friend
File name:	OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.zip
Download:	download sample
File size:	1'477'040 bytes
First seen:	2026-03-19 13:36:08 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:R4X1SmyMrjc/yh2mgiY2djPeUstqJDE8OX17gcHX6p8QUkHEPkrCUT:RC1SmyMrjc/g26vd7etwlE8MBgc1wHES
TLSH	T14165E1035985CA77D12242B07E076D2C6DAC3B14DED8A7DB3368DF1E2F33182A95625E
Magika	zip
Reporter	smica83
Tags:	Plugx zip

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.lnk
File size:	2'741 bytes
SHA256 hash:	1df74ce45aa9320c48858eddce3f46f5687fbfdcfd497d92a1e17476e7a2951e
MD5 hash:	fa107167ff9303c06c8c7c518a7a1923
MIME type:	application/octet-stream

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4abbdb2e-40fa-4df3-a0e5-7cb6a5b6348c/

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

MiscreantPunch.SingleXOR.EXE.22.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bbfbce88c80c01586c0ab6

Tags:

obfuscate corrupt xtreme

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autorun evasive masquerade powershell smb

Link:

https://www.filescan.io/uploads/69bbfbca2000fc76c3ed0ef8/reports/0024ba8a-fedb-49d3-a687-aa0986008044/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

zip

Link:

https://opentip.kaspersky.com/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a/

Verdict:

Malicious

Threat:

Trojan.WinLNK.Agent

Link:

https://tip.neiki.dev/file/bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a

Threat name:

Shortcut.Trojan.Kepavll

Status:

Malicious

First seen:

2026-03-19 13:37:18 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xtjq6iiw6w5gomogfbed2wl3forwedwumtddq5mfledda27lcava._file

Result

Malware family:

n/a

Score:

7/10

Tags:

link pdf

Link:

https://tria.ge/reports/260319-tjtj3afy2n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	Long_RelativePath_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

Rule name:	PDF_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	SUSP_ZIP_Smuggling_Jun01 Create hunting rule
Author:	delivr.to
Description:	ZIP archives with data smuggled between last file record and the central directory.
Reference:	https://github.com/Octoberfest7/zip_smuggling/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample