MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2d5a838ebf3525e22fc008b859a8a5e9f1a2fa7bcd351489e7a1310da10d219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash: c2d5a838ebf3525e22fc008b859a8a5e9f1a2fa7bcd351489e7a1310da10d219
SHA3-384 hash: c34e39e984127ad738a58a92ba94ba4e00d07f40c9f4b40ede3148ad9b751fedbd0826b50425234df465ec05087c2869
SHA1 hash: 511ad6e38a8569e438c6f21ba873fb7a9d5d3949
MD5 hash: 4668a9265bb682bbecc26a7b47c35985
humanhash: moon-north-lithium-undress
File name:Fexoglobal_CRM_API_Documentation.zip
Download: download sample
File size:2'262 bytes
First seen:2026-07-01 00:32:31 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 48:9jTIICA6GTpJMhkDeBpj7DgiHiR2IphG5G8aICxg6fZ5Gv:od2PMh77jiLphUG8aI0Lfmv
TLSH T1E5410933455B706CC15D017F7091315C77FBDB27787EE017ABA590259482AC54B0FB8A
Magika zip
Reporter smica83
Tags:UKR zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
158
Origin country :
HU HU
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Fexoglobal_CRM_API_Credentials.pdf.lnk
File size:2'942 bytes
SHA256 hash: 2bc171f1db6c304f968f92c740862f459b33de392877838945b354399ab42ce2
MD5 hash: 3050d4a4c98692493345c25a973683a8
MIME type:application/octet-stream
File name:Fexoglobal_CRM_API_Documentation.pdf.lnk
File size:2'954 bytes
SHA256 hash: 42de113d9c7f03d96b8555511ce7c789d1226707d8001261a2b2e95185a8451a
MD5 hash: c1cef0f5ad8a9971e6b24ad494a1be8d
MIME type:application/octet-stream
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Tags:
virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
conhost downloader evasive masquerade
Verdict:
Malicious
File Type:
zip
First seen:
2026-06-30T01:01:00Z UTC
Last seen:
2026-07-01T06:05:00Z UTC
Hits:
~10
Verdict:
Malware
YARA:
3 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:conhost.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002 Zip Archive
Threat name:
Shortcut.Trojan.Pantera
Status:
Malicious
First seen:
2026-06-29 22:10:18 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
adware discovery spyware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:PDF_in_LNK
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments