MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd
SHA3-384 hash:	76f998f12dc7f36c26badac9ca7309c3deb712b283e6f8b5398bd04030b94821558a6d2422b37826dedb7c1cc379a875
SHA1 hash:	0252819a4960c56c28b3f3b27bf91218ffed223a
MD5 hash:	06fcc2a56de5acdf1ca1847c79cca9e9
humanhash:	bravo-whiskey-connecticut-minnesota
File name:	Energy_Infrastructure_Situation_Note _Tehran_Province_2026.zip
Download:	download sample
File size:	1'512'349 bytes
First seen:	2026-03-17 05:42:13 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:RAGLknP/dOkO7UqJ8cuTGWJp8QUkHEPkrCUL:6GLkP1OktA0SwHEPFUL
TLSH	T1E965AE2271C2841CED29383A44DD9A0A3DA96D172948D95F3D4CF67EEF762983C6F342
TrID	72.4% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3) 27.5% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	smica83
Tags:	apt MustangPanda Plugx zip

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Energy_Infrastructure_Situation_Note _Tehran_Province_2026.lnk
File size:	2'188 bytes
SHA256 hash:	a95e3857e2f32c2a9c23accadebc1ad6aabf73fed9d63c792d69122d9ec6726d
MD5 hash:	dd82199fe9a36850aaaa6bf28293380a
MIME type:	application/octet-stream

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e9567ad8-cbc2-46e2-9a9c-4a81aa8ddc6d/

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

MiscreantPunch.SingleXOR.EXE.158.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b8e9bc88c80c01586b0812

Tags:

obfuscated obfuscate xtreme

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autorun powershell smb

Link:

https://www.filescan.io/uploads/69b8e9b8493cb7d62d015fff/reports/737926f3-b0b2-4886-b3f9-97eddcb998e8/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

zip

Link:

https://opentip.kaspersky.com/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd/results?tab=lookup

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

LNK Zip Archive

Link:

https://app.malva.re/file/06fcc2a56de5acdf1ca1847c79cca9e9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd/

Threat name:

Win32.Trojan.WinLnk

Status:

Malicious

First seen:

2026-03-16 19:27:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

6 of 36 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yj6jnbwr67iamdcf52hv3iqpvpwyx7mnyi4gedaqinbf3jnntgq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/260317-gvjg1sdv5q/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PDF_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	SUSP_ZIP_Smuggling_Jun01 Create hunting rule
Author:	delivr.to
Description:	ZIP archives with data smuggled between last file record and the central directory.
Reference:	https://github.com/Octoberfest7/zip_smuggling/

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample