MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c64dc42df7c7f4dc22ac09037394121cbda7549ea1b3271b1cedf79b24c5bc3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash: c64dc42df7c7f4dc22ac09037394121cbda7549ea1b3271b1cedf79b24c5bc3e
SHA3-384 hash: 1a47ec2cf11528aa5c7687ea5e6a6a27a693b569ce473cae606e8c971a11880ae64693e540075508173c29f0d537419b
SHA1 hash: e4e946848966c5f8e67e295e7bf83262d3fa0cfa
MD5 hash: a541cd870e6ef9d3e2dbe01d60cda2a2
humanhash: lion-july-zebra-zebra
File name:Информация о среднемесячной заработной плате....zip
Download: download sample
File size:51'508 bytes
First seen:2026-06-30 06:35:40 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 768:Qd1/SCO46UG2vz6+emSm4B9CFaP2Sh6Mb1db8iggumDbM9eO+4P3H7susGtR501o:Qd1/SCOCARh9CEPJw04igg/M9Dz3HYBo
TLSH T1DD33F1C53A8F542DBE88E26C94CAAB127E9150278475B0F0C78B6D8CC4E65E65FC7D8C
Magika zip
Reporter smica83
Tags:RUS zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
155
Origin country :
HU HU
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Информация о среднемесячной заработной плате....lnk
File size:1'153 bytes
SHA256 hash: 8691acd18cf8e5bab8698b2e1a21988fab21c8142fb9d8dc5857da3dce773aba
MD5 hash: 02235a6285942079641d3e34d8d48f31
MIME type:application/octet-stream
File name:Информация о среднемесячной заработной плате....pdf
File size:52'660 bytes
SHA256 hash: 578c60c9c55ab901d14d4c53c114788216f2e758c72699514245b63fe0860c69
MD5 hash: a54b966e0c8690845212cd510af2090e
MIME type:application/pdf
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Tags:
infosteal phishing
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
downloader evasive powershell
Verdict:
Malicious
File Type:
zip
First seen:
2026-06-30T08:05:00Z UTC
Last seen:
2026-06-30T09:09:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
LNK Zip Archive
Threat name:
Win32.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-06-25 10:46:36 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
5 of 36 (13.89%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery execution spyware
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
cURL User-Agent
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Detect_Remcos_RAT
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:LNK_sospechosos
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:Script_in_LNK
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments