MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a
SHA3-384 hash: ff53b6bab700ebb8b3f10077001c04343451d785e7835f4b6e15948f0e6bc26380c3bc083564e07db2244c8b481375fa
SHA1 hash: 5c7517a27a0c272443a9b8b1cf6bcac6e5b84773
MD5 hash: 66ba60f82418873698fb0f7462959288
humanhash: beryllium-florida-purple-saturn
File name:unistall.zip
Download: download sample
File size:48'121'449 bytes
First seen:2024-09-27 10:30:26 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:GxZyxxWaP8NbAsvnSQLcKQ+gwkZZqlK2QH6XM+TR217UHDtRCrpfKffBB8DzmoKY:GcWPbAs7Lch3wkZZqI2QaXPRWUarpfK6
TLSH T1A3B733A28020E7D79068402752D565F0F01BAFACC416D463A5D6F79BB3FA7C63B9E483
Magika zip
Reporter abuse_ch
Tags:BRA geo zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
CH CH
File Archive Information

This file archive contains 11 file(s), sorted by their relevance:

File name:maddisAsm_.bpl
File size:59'664 bytes
SHA256 hash: fbb9b4f1944b82701c7c06971a24cfed09d6e7f4a0f1684eba49800e3396fe3a
MD5 hash: 61d323161f2cbc187e6a36a12a0734fa
MIME type:application/x-dosexec
File name:ProductNews2.dll
File size:4'300'342 bytes
SHA256 hash: d4168a050a737d49577b1b2b214878a3c69e50a282c5784076c515f5fe068b42
MD5 hash: 7a723ee758118cfdc8820b3fae9df76f
MIME type:application/x-dosexec
File name:madexcept_.bpl
File size:442'128 bytes
SHA256 hash: 774afb7dfb8bd192838890b1b522b3f05b3762d6db3f412df7a4f51ee6eb052b
MD5 hash: 8be2193312995c8a442e71dab101c021
MIME type:application/x-dosexec
File name:SysRest.dll
File size:82'704 bytes
SHA256 hash: cc3ccdcde466210ae0f8330e7030097f80d09a496076f0e002f2c1287aae6fd5
MD5 hash: 72487650a4f664d46c2fcc3b24805a71
MIME type:application/x-dosexec
File name:madbasic_.bpl
File size:210'704 bytes
SHA256 hash: 50e8481906f27e92bb80f4b7139f90949b960b1b2898dd0f6875147f44d8ad20
MD5 hash: 0470b3205faf06b0b807629c7462ea90
MIME type:application/x-dosexec
File name:IObitUninstaler.exe
File size:9'406'472 bytes
SHA256 hash: 422aad047cbf5e7bdb3a8a6ef3a08851c98c06cf3f480d7d4222f0cf3aee6631
MD5 hash: 9a5b467dc43e79f91196eedd27aa1cbc
MIME type:application/x-dosexec
File name:sqlite3.dll
File size:694'176 bytes
SHA256 hash: 19f3bfcbaed4d727209df368909afdde92ef1e12587d3ebf3a2c233eceb93ce2
MD5 hash: b3d2c44cb44f323210dd99c701daf877
MIME type:application/x-dosexec
File name:unins000.msg
File size:26'895 bytes
SHA256 hash: 415e1bce163f1a48dc4591cb3f2536fa40ebba6aac49b3dd77adfa1bb115bb57
MD5 hash: d9e3321435956dcf24a990beccf524d4
MIME type:application/octet-stream
File name:get
File size:110'772'235 bytes
SHA256 hash: 02e4e053045f0fd35c37fff23e2597e1a707f06bae5a05b9b2b7aaeacfdb8e82
MD5 hash: 4170a53ef9a671605ab047bad1230c94
MIME type:application/octet-stream
File name:PluginHelper.dll
File size:28'235'368 bytes
SHA256 hash: affe3f301516b6d28203330267edd8ccb98ceb5506863e2957783e50a440d76a
MD5 hash: 711a1fa5e99cd0fee0ee430a8bbda76d
MIME type:application/x-dosexec
File name:lang.dat
File size:58 bytes
SHA256 hash: 3d28d0ef53f32c7a64d64224e72cfe54b4fef208619816b2636d0e0ae3d822c9
MD5 hash: ad2055dbf5068c033c949a667d7e3203
MIME type:text/plain
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f6897679032805ce8e660b
Tags:
Encryption Static Injection Exploit Obfusc
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc fingerprint microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/66f68970476a69e57446bd7d/reports/07472947-81e5-4a14-9500-6f1cdab410ce/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-27 10:31:09 UTC
File Type:
Binary (Archive)
Extracted files:
206
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2a2ul5ae462bncy3ofjfv3gzs2vmn2l5m7ydf2kvrxkqfqvqq45a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240927-mkdfxa1aqh/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:regexpr_pos
Create hunting rule
Author:@patrickrolsen
Reference:POS malware - RegExpr
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:win_sysscan_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip d03545f404e7b4168b1b71525aecd996aac6e97d67f032e9558dd502c2b0873a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3193856/

Comments