MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
SHA3-384 hash: fb5a541d8b9453bf81f791cf005439ef61383d8b03c41603a03aa4df6ea51b6652f5a734243b32f319002e9e9aa0e99f
SHA1 hash: 3775bf222c77eea4683941bd7c51e801f35e07de
MD5 hash: b75816a259098d39e5b666a867edf708
humanhash: november-mirror-romeo-ten
File name:faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
Download: download sample
File size:2'153'383 bytes
First seen:2025-09-05 06:36:29 UTC
Last seen:2025-09-05 06:37:53 UTC
File type: zip
MIME type:application/zip
ssdeep 49152:OiWuP7Q/NCVfvX2NhtaWV/uVz9q2KuoP9XDa2LXcYk:jP7QlCdvGkSmiP9MN
TLSH T131A5331E4283DA07C01F97DD7D098799E58EAE25E77C15203CDE25C28E16A0E8EB3D5B
Magika zip
Reporter JAMESWT_WT
Tags:download-uberlingen-com zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
28
Origin country :
IT IT
File Archive Information

This file archive contains 9 file(s), sorted by their relevance:

File name:107
File size:132 bytes
SHA256 hash: e5f3cd7f2206ca618b08c8437a0de5e2fd3ab53498712e11b823c42a5d86960c
MD5 hash: f23a7692950b51ad894f3eedc2971792
MIME type:application/octet-stream
File name:129
File size:132 bytes
SHA256 hash: ff3477413dccef2b80dd887ff764da20c44eb1e60168601bc1b2b0cca8fc80c2
MD5 hash: 54825f1dee5aaba49f2d8c0970f50569
MIME type:application/octet-stream
File name:108
File size:132 bytes
SHA256 hash: e6fb97bf318433dea2a5e937f2193ed251dc1e105e79eca5d7113278e4fb008c
MD5 hash: 625e69e8cc1e00999e1ea1f12b8ac75d
MIME type:application/octet-stream
File name:Job Description (LM HR Division II).pdf .scr
File size:3'367'192 bytes
SHA256 hash: cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
MD5 hash: 73d2899aade924476e58addf26254c2e
MIME type:application/x-dosexec
File name:103
File size:284 bytes
SHA256 hash: 5f59464025cd4dbec4bc38936dc59126533d3f707a65cc8009e6c799356c296c
MD5 hash: 49933dea63b70eb699e46abb092a84ec
MIME type:application/octet-stream
File name:_RDATA
File size:512 bytes
SHA256 hash: f8a445fad67462b9cdaad280d0b016d299a93048f09d4afdd7be5e55c8a77deb
MD5 hash: 6cd5f8b11bd245e56e8fafa8cf9c604f
MIME type:application/octet-stream
File name:109
File size:16 bytes
SHA256 hash: c2f0c188d6c493d7827bf83fb89c704815796445a0178bb2ae79658d96703a3c
MD5 hash: 3d2b1af3424dbcd504f73918619c7d99
MIME type:application/octet-stream
File name:18
File size:11'817 bytes
SHA256 hash: b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a
MD5 hash: 90ce060169c24601268dbdb9ffac8a0b
MIME type:image/png
File name:string.txt
File size:48 bytes
SHA256 hash: 026288fa566703fe67e28b8440f3eef5dfd126a05560ff242b23f414fdc02851
MD5 hash: bcf0abec970a3aa15c2d44f6fa5f2073
MIME type:application/octet-stream
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win64.Trojan.Agent.4A6FZ3.5917.3597.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ba852aeb163e0ec1846a8f
Tags:
extens virus sage
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin microsoft_visual_cc packed regsvr32 revoked-cert signed
Link:
https://www.filescan.io/uploads/68ba8529a64010de766dfa72/reports/b646e65b-d401-46e4-85cf-ef1ea83675b5/overview
Verdict:
Malicious
Labled as:
Mal/ZipMal
Link:
https://www.hybrid-analysis.com/sample/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
Verdict:
Malicious
File Type:
zip
First seen:
2024-05-24T07:28:00Z UTC
Last seen:
2024-05-24T07:28:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/results?tab=lookup
Score:
90%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/b75816a259098d39e5b666a867edf708
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/
Threat name:
Win32.Backdoor.Kimsuky
Create hunting rule
Status:
Malicious
First seen:
2024-05-23 19:31:37 UTC
File Type:
Binary (Archive)
Extracted files:
53
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lfiw3yenwwy6drhu5p2fxcuo7j4z5ck3twwisa66gyn3fuljmha._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NikiCert
Create hunting rule
Author:@bartblaze, @nsquar3
Description:Identifies Nexaweb digital certificate used in (likely) Kimsuky campaign.
Reference:https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments