MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4
SHA3-384 hash: ba69fb3454751985328b6baaf1ded918b45c38f5ecaf593b302adbd23f650e1b001df9a0101491ce1f2eebc56262951e
SHA1 hash: b73ec9761a072ff0cc08f7d8a5905e5baad0660a
MD5 hash: ba0707ae5d122d2e594cff462e422713
humanhash: zulu-nineteen-speaker-pizza
File name:Abm2026H1GncelFiyatListesi.exe
Download: download sample
File size:22'016 bytes
First seen:2026-04-14 06:24:56 UTC
Last seen:2026-05-08 13:08:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'003 x AgentTesla, 19'907 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 384:Hz57Ngy0RmnD4b1PkuSsjfzLuzKjr6j5l7fKRh2sIhhwQTSN4XUBIyAGHlc0BqY:Hz57Ngy0RK0bFLjWGjrAl7fPsIgQgsUH
TLSH T16FA2643DD5E5FDD0C75F12F078AAF7C6019BA7176E1A172CF8C814920B41798ABB9188
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Abm 2026 H1 Güncel Fiyat Listesi .r07
Verdict:
Malicious activity
Analysis date:
2026-04-13 17:14:03 UTC
Tags:
arch-exec susp-powershell
Link:
https://app.any.run/tasks/e45a3832-c6d0-41e7-8a89-0f9d53185516

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61472/
Detection(s):
Win.Packed.Zusy-10059940-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dd24d8f68adfe10039776e
Tags:
ransomware shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Gathering data
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-13T09:18:00Z UTC
Last seen:
2026-04-15T23:56:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.BAT.Alien.gen PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Alien.gen
Link:
https://opentip.kaspersky.com/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6529c36e-e63a-48f2-b004-0061a2b007b2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897817
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897817 Sample: Abm2026H1GncelFiyatListesi.exe Startdate: 14/04/2026 Architecture: WINDOWS Score: 100 87 www.mypanel.vip 2->87 89 pastefy.app 2->89 91 2 other IPs or domains 2->91 99 Suricata IDS alerts for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 105 12 other signatures 2->105 10 Abm2026H1GncelFiyatListesi.exe 2 2->10         started        13 cmd.exe 1 2->13         started        16 cmd.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 83 903a5b65-387b-47f7-b6a5-92cb0012eb2e.bat, DOS 10->83 dropped 85 C:\...\Abm2026H1GncelFiyatListesi.exe.log, CSV 10->85 dropped 20 cmd.exe 1 10->20         started        117 Suspicious powershell command line found 13->117 23 powershell.exe 12 13->23         started        25 conhost.exe 13->25         started        27 powershell.exe 16->27         started        29 conhost.exe 16->29         started        31 powershell.exe 18->31         started        33 powershell.exe 18->33         started        35 powershell.exe 18->35         started        37 15 other processes 18->37 signatures6 process7 signatures8 107 Suspicious powershell command line found 20->107 39 powershell.exe 13 20->39         started        43 conhost.exe 20->43         started        45 powershell.exe 23->45         started        47 powershell.exe 27->47         started        49 powershell.exe 31->49         started        51 powershell.exe 33->51         started        53 powershell.exe 35->53         started        55 powershell.exe 37->55         started        57 5 other processes 37->57 process9 file10 81 C:\ProgramData\URT.bat, DOS 39->81 dropped 109 Suspicious powershell command line found 39->109 111 Found suspicious powershell code related to unpacking or dynamic code loading 39->111 59 powershell.exe 15 17 39->59         started        113 Creates multiple autostart registry keys 45->113 63 conhost.exe 45->63         started        65 conhost.exe 47->65         started        67 conhost.exe 49->67         started        69 conhost.exe 51->69         started        71 conhost.exe 53->71         started        73 conhost.exe 55->73         started        75 conhost.exe 57->75         started        77 4 other processes 57->77 signatures11 process12 dnsIp13 93 hasteb.in 45.33.64.25, 443, 49694, 49698 LINODE-APLinodeLLCUS United States 59->93 95 mypanel.vip 65.21.131.83, 443, 49695, 49696 CP-ASDE United States 59->95 97 pastefy.app 104.21.49.12, 443, 49693, 49697 CLOUDFLARENETUS United States 59->97 115 Creates multiple autostart registry keys 59->115 79 conhost.exe 59->79         started        signatures14 process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4/
Verdict:
Malicious
Threat:
Trojan.MSIL.Alien
Link:
https://tip.neiki.dev/file/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4
Threat name:
ByteCode-MSIL.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 12:33:15 UTC
File Type:
PE (.Net Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvzbtv5kthnwmr6fkgosj2gn2npgpy46d4xfl4ijseyfsppom32a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260414-g6yq3sdv6p/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4
MD5 hash:
ba0707ae5d122d2e594cff462e422713
SHA1 hash:
b73ec9761a072ff0cc08f7d8a5905e5baad0660a
Link:
https://www.unpac.me/results/7d9c2ab4-b48c-4b3c-9df8-59b00b7b92eb/
Malware family:
HomeesNETInjector
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd7219d7aa99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd7219d7aa99db6647c5519d24e8cdd35e67e39e1f2e55f1099130593dee66f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:obfuscated_BAT
Create hunting rule
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61472/

Comments