MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a
SHA3-384 hash: cecb143009920cf7e341293acf81e2ef766daf25f64ef05b5ed382936766a485b19f4c17dc789f2241b778c666623c3a
SHA1 hash: d49d4b92cc000bc7f1c9ac99267cb8065e72ba57
MD5 hash: 846c0d4a4a5f2774a69bbf6988dfdcd8
humanhash: arkansas-uniform-blossom-item
File name:Document_45.zip
Download: download sample
File size:1'072 bytes
First seen:2023-08-30 16:41:46 UTC
Last seen:2023-08-30 16:50:38 UTC
File type: zip
MIME type:application/zip
ssdeep 12:5jW2XsCV+77BRtMC1AdqEw2+2GWQKfDPqQ5PRPo1LjV8ZhULD7u5gWPr6FotifHx:9W2/6b+WAJbTVfDCQFRc4C6Mcs027s9k
TLSH T1D211585B573A5D98D42B273C3CF30370F71170D572701292A5BD12E5E156EB6A2429CB
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Jenny Green <Jenny44@8589.com>" (likely spoofed)
Received: "from [103.218.103.48] (unknown [103.168.62.220]) "
Date: "Sun, 27 Aug 2023 22:45:35 +0530"
Subject: "Your Document #45"
Attachment: "Document_45.zip"

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Document_45.doc.lnk
File size:1'987 bytes
SHA256 hash: b3dac534d0ce19efdf1aa37718283318e94a82446b3fad721076bb63f427eee3
MD5 hash: c7eb920f5717b5911ca1565067a5a314
MIME type:application/octet-stream
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_doc.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26415.PshHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.Powershell-B.15407.10712.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a/results/dashboard
Payload URLs
URL
File name
http://twizt.net/s.exe','
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun cmd fingerprint greyware lolbin masquerade powershell powershell shell32
Link:
https://www.filescan.io/uploads/64ef715b7444d2eb09f36f6d/reports/8b26fce3-57c1-4cd8-a477-9686c5260f1a/overview
Verdict:
Malicious
Labled as:
Trojan.Multi.Agent
Link:
https://www.hybrid-analysis.com/sample/c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a/
Threat name:
Shortcut.Downloader.Ploprolo
Create hunting rule
Status:
Malicious
First seen:
2023-08-27 13:51:43 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbqx6ldeglewynnzcqtzquygsvir2rnb7n4a6m5rejkc52o4h2fa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230830-xjmnashc2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://twizt.net/s.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:SUSP_ZIP_LNK_PhishAttachment
Create hunting rule
Author:ignacior
Description:Detects suspicius tiny ZIP files with malicious lnk files
Reference:Internal Research
Rule name:SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious tiny ZIP files with phishing attachment characteristics
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a

(this sample)

Phorpiex

Shortcut (lnk) lnk b3dac534d0ce19efdf1aa37718283318e94a82446b3fad721076bb63f427eee3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b3dac534d0ce19efdf1aa37718283318e94a82446b3fad721076bb63f427eee3
  
Dropping
MD5 c7eb920f5717b5911ca1565067a5a314

Comments