Authenticate for API access | If you are experiencing issues with receiving data from abuse.ch platforms via API, please ensure your requests are authenticated. ➡️ Read here for more info

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 4bd2ec23ca2fa57e18b43074712310265b168e38bbc65d9fbab29d967a212363.

Scan Results


SHA256 hash: 4bd2ec23ca2fa57e18b43074712310265b168e38bbc65d9fbab29d967a212363
File size:2'316'727 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: fa85eb4b1c157476d7dea57e41842ec0
SHA1 hash: 224e99807e2707d6d5f503c7d21d69491e96d591
SHA3-384 hash: ade4f7293f553c9f6c6b8d6099ab312bc9d65b742652b8aacca3be1d2c732c4954fd8a50e55545f027407f85fda2e1ac
First seen:2025-08-24 22:21:41 UTC
Last seen:Never
Sightings:1
imphash : 38aa7c2ff6ef0e48a9520d6702d08df4
ssdeep : 49152:7/m6r2pV834x8Y/Q94iZNrP2t0ZyyIjnRnUn:728Y/QSirHv2Rg
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks


There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information


Task ID:b5bfbb7f-8138-11f0-8fb7-42010aa4000b
File name:fa85eb4b1c157476d7dea57e41842ec0
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results


The file matched the following open source and commercial ClamAV rules.

Signature:PUA.Win.Packer.AcprotectUltraprotect-1
Signature:Win.Ransomware.Gandcrab-10056444-0

YARA Results


Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:CHM_File_Executes_JS_Via_PowerShell
Author:daniyyell
Description:Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
TLP:TLP:WHITE
Repository:YARAify
Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
TLP:TLP:WHITE
Repository:YARAify
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:TLP:WHITE
Repository:YARAify
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:TLP:WHITE
Repository:YARAify
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
TLP:TLP:WHITE
Repository:YARAify
Rule name:iso_lnk
Author:tdawg
TLP:TLP:WHITE
Rule name:NET
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
TLP:TLP:WHITE
Repository:
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
TLP:TLP:WHITE
Repository:
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:UPXv20MarkusLaszloReiser
Author:malware-lu
TLP:TLP:WHITE
Repository:

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files


The following files could be unpacked from this sample.