YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash a29022e52dda155e88599b448ec40d16d159d00dba36af28651a608c89b7ecff.

Scan Results

SHA256 hash: a29022e52dda155e88599b448ec40d16d159d00dba36af28651a608c89b7ecff
File size:3'907'584 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: c72da37c4a590811cc49a37e59d409ac
SHA1 hash: b1e9179dea51c9c2998a570f85f388c6e2aa438a
SHA3-384 hash: 21622da427579168a72dc2cdcbb74646d383be5f23d65b30041ed4044823251e2b95950895f6f009919054b3b9aecd0b
First seen:2025-11-21 18:57:37 UTC
Last seen:Never
Sightings:1
imphash : 349d63618195878354e37453f6f72dac
Create hunting rule
ssdeep : 24576:RFWEHSxrjT8W+X7VzO/GAErxFbMBgGuhiLg2QPlKycm:RFWEyxDP+XJZAENFbMLuk4cm
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon : 8e2b072bce4d2b8e
Create hunting rule

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:f2c7718d-c70b-11f0-a73e-42010aa4000b
File name:7ff7b2220000.wordpad.exe
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
TLP:TLP:WHITE
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:TLP:WHITE
Repository:YARAify
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
TLP:TLP:WHITE
Repository:YARAify
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
TLP:TLP:WHITE
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:pe_detect_tls_callbacks
Create hunting rule
Author:
TLP:TLP:WHITE
Repository:YARAify
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
TLP:TLP:WHITE
Repository:YARAify
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
TLP:TLP:WHITE
Repository:YARAify
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.