MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Efimer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2
SHA3-384 hash: 8a6cb0c514fbf967cdaba18ddfa0bd21642f7f2de4be61e9e90e54e2dffc77ea4e8e87a429b7e4046b6673360a6e106d
SHA1 hash: bb44fa3f8fffb545fbd58ce3c87f0c1a8bc354e3
MD5 hash: a45b1625a819ffc8128e13cc3143205e
humanhash: tennis-magazine-juliet-cardinal
File name:a𝐟t𝑒r_𝑒ffe𝐜𝑡𝐬_𝐯23𝟜𝟡_𝐠a𝐤_x3.exe
Download: download sample
Signature Efimer
Create hunting rule
File size:12'613'952 bytes
First seen:2025-11-23 15:57:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (38 x BlankGrabber, 15 x PythonStealer, 15 x SalatStealer)
ssdeep 393216:b/L6a3+r/9jSADS6I1gLkVxXMCHWUjMcuI3/PjuUw0:7LWj9SA2gcXMb8ZH/rA0
TLSH T190D6334C26F111EED963C078DEE29285EA78783323B2C9DB83B492655E572F0493F617
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:Efimer exe


Avatar
iamaachum
https://filesprograms.digital/dl.php?dl=YWZ0ZXJfZWZmZWN0c192Tk5OTl9CQUxfeDMuZXhl => https://reparertelephone.fr/?dl=YWZ0ZXJfZWZmZWN0c192Tk5OTl9CQUxfeDMuZXhl

Efimer C2: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2.exe
Verdict:
Malicious activity
Analysis date:
2025-11-23 16:34:23 UTC
Tags:
python evasion pyinstaller
Link:
https://app.any.run/tasks/2063f7e2-5fc8-4fbe-96b6-67e5c0a23c5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41162/
Gathering data
Gathering data
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/69232f18eecb08e4aa45e574/reports/4ed60162-19b4-4e0b-91c1-8c67f2f8cb3a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2
Result
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819575
Signature
Adds a directory exclusion to Windows Defender
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819575 Sample: dc1c#Ud835#Udc61#Ud835#Udc2... Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 80 ipinfo.io 2->80 92 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->92 94 Sigma detected: WScript or CScript Dropper 2->94 96 Joe Sandbox ML detected suspicious sample 2->96 98 6 other signatures 2->98 9 dc1c#Ud835#Udc61#Ud835#Udc2c_#Ud835#Udc2f23#Ud835#Udfdc#Ud835#Udfe1_#Ud835#Udc20a#Ud835#Udc24_x3.exe 26 2->9         started        13 wscript.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 72 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->72 dropped 74 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->74 dropped 76 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->76 dropped 78 13 other files (none is malicious) 9->78 dropped 102 Uses schtasks.exe or at.exe to add and modify task schedules 9->102 104 Adds a directory exclusion to Windows Defender 9->104 106 Found pyInstaller with non standard icon 9->106 18 dc1c#Ud835#Udc61#Ud835#Udc2c_#Ud835#Udc2f23#Ud835#Udfdc#Ud835#Udfe1_#Ud835#Udc20a#Ud835#Udc24_x3.exe 8 9->18         started        108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->108 110 Suspicious execution chain found 13->110 22 svcup.exe 13->22         started        25 curl.exe 13->25         started        27 svcup.exe 13->27         started        90 127.0.0.1 unknown unknown 15->90 file6 signatures7 process8 dnsIp9 64 C:\Users\Public\Videos\ihiyo\svcup.exe, PE32+ 18->64 dropped 66 C:\Users\Public\Videos\ihiyo\ihuho.xml, XML 18->66 dropped 68 C:\Users\Public\Videos\ihiyo\ihuho.js, ASCII 18->68 dropped 100 Adds a directory exclusion to Windows Defender 18->100 29 cmd.exe 1 18->29         started        32 cmd.exe 1 18->32         started        34 cmd.exe 1 18->34         started        42 5 other processes 18->42 82 107.189.31.232, 49708, 9000 PONYNETUS United States 22->82 84 185.129.61.129, 443, 49710 ZENCURITY-NETDK Denmark 22->84 86 7 other IPs or domains 22->86 36 conhost.exe 22->36         started        70 C:\Users\user\AppData\Local\Temp\cfile, ASCII 25->70 dropped 38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        file10 signatures11 process12 dnsIp13 112 Adds a directory exclusion to Windows Defender 29->112 45 powershell.exe 23 29->45         started        48 conhost.exe 29->48         started        50 powershell.exe 23 32->50         started        52 conhost.exe 32->52         started        54 powershell.exe 23 34->54         started        56 conhost.exe 34->56         started        88 ipinfo.io 34.117.59.81, 443, 49702 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 42->88 58 powershell.exe 42->58         started        60 powershell.exe 42->60         started        62 6 other processes 42->62 signatures14 process15 signatures16 114 Loading BitLocker PowerShell Module 45->114
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a45b1625a819ffc8128e13cc3143205e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2/
Verdict:
Malicious
Threat:
Win64.Malware.Heuristic
Link:
https://tip.neiki.dev/file/6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkmrrpe7k4kvmsubtiwpo6yoqacsr32a3trt33e37h5zpug72pza._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence pyinstaller
Link:
https://tria.ge/reports/251123-telnnatlap/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6964a6ce-4779-4857-9196-edf51aa35310
Unpacked files
SH256 hash:
6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2
MD5 hash:
a45b1625a819ffc8128e13cc3143205e
SHA1 hash:
bb44fa3f8fffb545fbd58ce3c87f0c1a8bc354e3
Link:
https://www.unpac.me/results/99a1ba9d-cb0f-40d3-9de0-fd97baf2d5fd/
SH256 hash:
091ca6ea394a33f0117b7ed9f1aefd4da6022f8bdaa4fb963e47b04a10617241
MD5 hash:
32df5d1b15987be8b373dd4d210f3290
SHA1 hash:
cf51434b3474f8cb1c9f4f55dcf3ba5072de96c4
Detections:
SUSP_OBF_PyArmor_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/99a1ba9d-cb0f-40d3-9de0-fd97baf2d5fd/
SH256 hash:
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
MD5 hash:
862f820c3251e4ca6fc0ac00e4092239
SHA1 hash:
ef96d84b253041b090c243594f90938e9a487a9a
Link:
https://www.unpac.me/results/99a1ba9d-cb0f-40d3-9de0-fd97baf2d5fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a9918bc9f57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Efimer

Executable exe 6a9918bc9f5715564a819a2cf77b0e800528ef40dce33dec9bf9fb97d0dfd3f2

(this sample)

  
Link
https://tria.ge/251123-sys2eaxqcw/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/41162/

Comments