MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6
SHA3-384 hash: 1b59e2a873a63715ba0625e8538992c90462ecd1e6eb13f8aa5ac2f14d9e403e33cd073b417729bec3892024cf825eb6
SHA1 hash: 7dcfe7db81a24d621fab002f34eccc72a8b286b1
MD5 hash: 1d8370541bde6781aa9b8e30964a2059
humanhash: spring-alpha-glucose-king
File name:88.ext.bin
Download: download sample
File size:3'741'107 bytes
First seen:2025-05-20 13:56:48 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 98304:69YjQdiiJpRcRbsdJydHfZD0Tb1BPnmjJte+F:uYw7pQoDGBYvMe+F
TLSH T15A06332F7D523324A866FDB5156306CCFBE14EF65719CEBA3E40C9C616087A362D289C
Magika zip
Reporter aachum
Tags:88.ext AcreedStealer HIjackLoader IDATLoader trustdomainnet-live zip


Avatar
iamaachum
https://1.tattlererun.life/88.ext.bin

C2: trustdomainnet.live

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
ES ES
File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:Poor.jicc
File size:3'193'622 bytes
SHA256 hash: 42f62b2c3c409bccef97d74435653d8e6ad05e3b26b6e552ac8962a50115419d
MD5 hash: 55cc0aab0d076764524de9968d80abb2
MIME type:application/octet-stream
File name:vcruntime140.dll
File size:76'168 bytes
SHA256 hash: e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a
MD5 hash: a554e4f1addc0c2c4ebb93d66b790796
MIME type:application/x-dosexec
File name:DuiLib_u.dll
File size:860'160 bytes
SHA256 hash: 08f917bf9f46c496d8baabb57eb5bbdd35bf468d63c4519ebbec7fe58a38c491
MD5 hash: f5874f4c7ad239589a147d4e5e5c081d
MIME type:application/x-dosexec
File name:msvcp140.dll
File size:448'384 bytes
SHA256 hash: 4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97
MD5 hash: e9f00dd8746712610706cbeffd8df0bd
MIME type:application/x-dosexec
File name:Ato_Ref16.exe
File size:457'200 bytes
SHA256 hash: c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
MD5 hash: 4d20b83562eec3660e45027ad56fb444
MIME type:application/x-dosexec
File name:Flaeleab.wcb
File size:63'155 bytes
SHA256 hash: 606e33eec9919ef88bc0af4ed8ca65e28b6d9527ad59677e25143139e1e21546
MD5 hash: a8ca744390b3e70b7d5444f9624e5c0b
MIME type:application/octet-stream
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c8a432f280a98fb423a8c
Tags:
injection obfusc crypt
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6/results/dashboard
Verdict:
Unknown
Threat level:
n/a  -.1.0/10
Confidence:
100%
Tags:
expired-cert microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/682c8a43c609634bd7cb8897/reports/47941585-2f04-4251-bd9b-2b8529082acd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6
Score:
80%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-19 12:37:40 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35fkt3kztwkfhsaqjb72cswjzghgrf6q6bs7bebyivm4tydc3pda._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250520-r5z8maeq9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip df4aa9ed599d9453c810487fa14ac9c98e6897d0f065f090384559c9e062dbc6

(this sample)

anyrun
any.run
https://app.any.run/tasks/117d239e-7a90-4941-8098-cfce41aaa32d
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3547988/
  
URLhaus
https://urlhaus.abuse.ch/url/3548109/
  
URLhaus
https://urlhaus.abuse.ch/url/3548110/
  
URLhaus
https://urlhaus.abuse.ch/url/3548111/
  
URLhaus
https://urlhaus.abuse.ch/url/3548112/
  
URLhaus
https://urlhaus.abuse.ch/url/3548120/

Comments