MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 43fbbc85fb1fea028cc73f345203b5c3b6a5ded85e1fb472c96f4ece9f1af0df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 9
| SHA256 hash: | 43fbbc85fb1fea028cc73f345203b5c3b6a5ded85e1fb472c96f4ece9f1af0df |
|---|---|
| SHA3-384 hash: | f5f56289c89390cca21840d8aa781479fbb164181b53ba6daf445218934c62545c04c4d03814af9c8bf93fab1676c841 |
| SHA1 hash: | 13149a833f470dbd1eb0bc42b308ba11224cf4d7 |
| MD5 hash: | 3d16a2b8987655e7ea0fc3f621b31cff |
| humanhash: | mississippi-island-montana-mirror |
| File name: | YomiraSetup.exe |
| Download: | download sample |
| File size: | 84'561'590 bytes |
| First seen: | 2025-08-13 05:17:16 UTC |
| Last seen: | 2025-08-16 10:37:12 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer) |
| ssdeep | 1572864:QF+BWqL9BHBWLwbzsQY1ZxhbJeF57h/7IO/dxsOGU9NFN78lxJZzUq2:QMB1MwbOD/dI7pM0sOd9NFNIlxb2 |
| TLSH | T1D1083330ABE6F876E255BEB781F61F3602172586FEB59A533D4203DC0B74B03A919E11 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| dhash icon | c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla) |
| Reporter |  cxiao |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
10
# of downloads :
75
Origin country :
SEVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YomiraSetup.exe
Verdict:
Malicious activity
Analysis date:
2025-08-13 05:19:20 UTC
Tags:
stealer discord arch-doc auto-download generic ims-api nodejs
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
extens sage blic
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Loading a suspicious library
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending an HTTP GET request
Launching a tool to kill processes
Verdict:
Suspicious
Labled as:
Malware_48.7
Score:
87%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
HEUR:Trojan.Script
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
7/10
Tags:
defense_evasion discovery execution linux spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Dropped by
4236de23451617dcaae04d0d75c8131b0240c437334caae7988b74a96ac544ee
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::SetFileSecurityW |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileExW KERNEL32.dll::MoveFileW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.