MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4
SHA3-384 hash: 01a37078f759fe4a3292c0a6b8ef3bb0950cc9a152c08e7df67940bc8bd2ed7d6c5fe3f85d579e7519da296d2c593b2b
SHA1 hash: 2718dc3101cfc028190c4c0b28984cc131ef7597
MD5 hash: bee02443c0324a48cf565122ca7a88ae
humanhash: sink-michigan-bluebird-nevada
File name:husbandspecific.zip
Download: download sample
File size:7'316'478 bytes
First seen:2025-06-02 22:18:48 UTC
Last seen:2025-06-04 13:39:50 UTC
File type: zip
MIME type:application/zip
ssdeep 98304:2muiiHbHPWTTbOJ8uIMNmlffM8juhMN3nFiZeZZHxRMyFX1GeICN5ME/JRGzDZW+:2O2vx7SuuN3nMeZZwzPeI/yzrox
TLSH T131763326770A442B9AE5AC73D6B1B6F14AF216C0B37212235D7142DB7CA07AC073DB76
Magika zip
Reporter smica83
Tags:195-82-147-93 UKR zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
HU HU
File Archive Information

This file archive contains 13 file(s), sorted by their relevance:

File name:api-ms-win-crt-heap-l1-1-0.dll
File size:22'024 bytes
SHA256 hash: 20ce58e1990ac2f726466e234e6a6ef4dfae97f8cb1571a0a4b1bd74df87dfdd
MD5 hash: ba9303ddc07281252d1c56faa85d9716
MIME type:application/x-dosexec
File name:husbandspecific.exe
File size:23'656 bytes
SHA256 hash: 124a472c9f3a96cbb429f9fca7077b1bb12166bcf264308feda5bbf008fbe464
MD5 hash: 9b7b2a0fec4f01e856cc79139bf97bb2
MIME type:application/x-dosexec
File name:api-ms-win-crt-string-l1-1-0.dll
File size:26'080 bytes
SHA256 hash: db897e58b7d327a059db263af2f1be1eff58176e3bcdb82aa801e2d69fd2293c
MD5 hash: 395e487fa98b314a1a703310917f8476
MIME type:application/x-dosexec
File name:VCRUNTIME140.dll
File size:109'440 bytes
SHA256 hash: 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
MD5 hash: 49c96cecda5c6c660a107d378fdfc3d4
MIME type:application/x-dosexec
File name:api-ms-win-crt-math-l1-1-0.dll
File size:30'160 bytes
SHA256 hash: 655965eca578ae6b0afedd0ce2a424a3f6e9b3e624dd0d55ce67bc7df75b3b6b
MD5 hash: 87789f1e4ac145980437a907f7ec1984
MIME type:application/x-dosexec
File name:api-ms-win-crt-filesystem-l1-1-0.dll
File size:21'984 bytes
SHA256 hash: a60dbd92bc1e1e06035d6aeef821d71dd06de7e15b5536110048233dd523a9a2
MD5 hash: 35cc322c04032419445b3ee052ce85fc
MIME type:application/x-dosexec
File name:api-ms-win-crt-stdio-l1-1-0.dll
File size:26'120 bytes
SHA256 hash: acd08d06dfc981071142a851913e55aa253926c12b5b9d73649b832a4bfd0dd9
MD5 hash: cae87585a8e25d1b0754be0b397d065d
MIME type:application/x-dosexec
File name:api-ms-win-crt-runtime-l1-1-0.dll
File size:26'120 bytes
SHA256 hash: 84ce7e29868776de9939938d5c3091736669ebad4f063f5e83df0299b474e5ed
MD5 hash: 554da00be256a94c51a4bdf92387ac2a
MIME type:application/x-dosexec
File name:api-ms-win-crt-convert-l1-1-0.dll
File size:26'120 bytes
SHA256 hash: eb41bf23e10405efcad8bb3eb8972f431394113324717386362ac6406a5c6d75
MD5 hash: ec929cdb876f15a5b1c56651a132e70c
MIME type:application/x-dosexec
File name:jli.dll
File size:16'891'904 bytes
SHA256 hash: fef08938e87e5b73ea9ddc6ab1e117a15a3c761a3c3f011753092103e46af95b
MD5 hash: ecb22371173dba51ea306ab301197542
MIME type:application/x-dosexec
File name:msvcp1403.dll
File size:813'581 bytes
SHA256 hash: 869baabc15c4c2677f8d2c7ccccad8d46168067faf2c800999aa5434adda44e3
MD5 hash: bab00deda78af3fb26218eec132f8e03
MIME type:application/octet-stream
File name:api-ms-win-crt-locale-l1-1-0.dll
File size:22'024 bytes
SHA256 hash: fe617cc8748560a1e12e58559fdf192c5888babff4ae62e386617293d5fc20b0
MD5 hash: 0774cf132b254ba3271bd9ef48259165
MIME type:application/x-dosexec
File name:api-ms-win-crt-environment-l1-1-0.dll
File size:22'024 bytes
SHA256 hash: 294bca6dcb6455e9027b527aae42ed5aa04d5ae769cb897cb36a150b40a6fa26
MD5 hash: 6b1a8f966512f0fb05b07d557a079476
MIME type:application/x-dosexec
Vendor Threat Intelligence
Detection(s):
Win.Trojan.MSILPacked-9942256-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e23c58bd5d68a12e3fb81
Tags:
virus
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4/results/dashboard
Verdict:
Unknown
Threat level:
n/a  -.1.0/10
Confidence:
100%
Tags:
expired-cert microsoft_visual_cc packed signed
Link:
https://www.filescan.io/uploads/683e2363171e01f95933db57/reports/78d38093-2ec9-48f4-8606-61e32890279d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
87%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-02 20:47:05 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2buet232tomkjfylmccsz7qrgpy2irxio3w2fw5p4gtptztgv6sa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_RedLineStealer_15ee6903
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Shortcut (lnk) lnk 5430f21e56324187cf6688c2dd6eedb9de703f4c72a8b8c4437154b371d2b37d

zip d06849eb7a9b98a4970b60852cfe1133f1a446e876eda2dbafe1a6f9e666afa4

(this sample)

  
Dropped by
MD5 043dbd1534e88b1a147337036c92bf07
  
URLhaus
https://urlhaus.abuse.ch/url/3556246/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 5430f21e56324187cf6688c2dd6eedb9de703f4c72a8b8c4437154b371d2b37d
  
URLhaus
https://urlhaus.abuse.ch/url/3555959/
  
URLhaus
https://urlhaus.abuse.ch/url/3556054/

Comments