MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76
SHA3-384 hash: 0a79aa5354f489a97f8cf1ba61252be889a74268c1d7da7652225d7a2e574139be8befc71596fd65fc8ad216e618a15f
SHA1 hash: e3eae764b5b7c4cf575985b29c142c4a5ef1b2b7
MD5 hash: 8f43c7d7f86ea60e555629c30a0036c6
humanhash: apart-alabama-lemon-earth
File name:tmpdddeptqq.exe
Download: download sample
File size:7'881'829 bytes
First seen:2025-06-19 01:15:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 064967a99ade726316dc79a4a929fe96 (5 x QuasarRAT, 2 x PythonStealer, 1 x njrat)
ssdeep 98304:8p8Ip6WvPfW2uZhCMYkcPGXaWLmLwTJl3SXAUOeh6x9Sv3GiiL5fhTZlhQ3W6PFr:AP/vRurHmQm8NlOQPAv2j5ZV6FtJ
TLSH T1CF86331863E446DDFAE7833D8942CE15E374BC222795D99713E489A22F337D02936BB1
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter toxicdss
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tmpdddeptqq.exe
Verdict:
Malicious activity
Analysis date:
2025-06-18 16:08:10 UTC
Tags:
python
Link:
https://app.any.run/tasks/dc3a256a-738d-4d03-843e-3414e56942d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10076/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853df9ed1262bb4773b2241
Tags:
vmdetect shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Searching for the window
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/685364c23faf8fcd7d351731/reports/387badda-250d-4d50-94a7-ca831eda4de7/overview
Verdict:
Malicious
Labled as:
RiskWare/Kryptik.a
Link:
https://www.hybrid-analysis.com/sample/e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/01607017-97a1-48e7-88fb-499a8bfc5b40
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1718071
Signature
Adds a directory exclusion to Windows Defender
Creates HTML files with .exe extension (expired dropper behavior)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718071 Sample: tmpdddeptqq.exe Startdate: 19/06/2025 Architecture: WINDOWS Score: 68 48 store-eu-par-2.gofile.io 2->48 50 pki-goog.l.google.com 2->50 52 2 other IPs or domains 2->52 58 Multi AV Scanner detection for submitted file 2->58 60 Joe Sandbox ML detected suspicious sample 2->60 62 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->62 9 tmpdddeptqq.exe 17 2->9         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->40 dropped 42 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->44 dropped 46 11 other files (none is malicious) 9->46 dropped 66 Creates HTML files with .exe extension (expired dropper behavior) 9->66 68 Adds a directory exclusion to Windows Defender 9->68 13 tmpdddeptqq.exe 2 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 dnsIp8 54 gofile.io 160.202.167.55, 443, 49693 DEDICATEDUS New Zealand 13->54 56 store-eu-par-2.gofile.io 45.112.123.224, 443, 49692 AMAZON-02US Singapore 13->56 70 Adds a directory exclusion to Windows Defender 13->70 19 powershell.exe 23 13->19         started        22 icacls.exe 1 13->22         started        24 icacls.exe 1 13->24         started        26 2 other processes 13->26 signatures9 process10 signatures11 64 Loading BitLocker PowerShell Module 19->64 28 WmiPrvSE.exe 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        process12
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qib4tj5c5i5uqgrk2co324kz2poq32wezu4xphonv4zzw3atr3a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution pyinstaller
Link:
https://tria.ge/reports/250619-bmntwabq2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Loads dropped DLL
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb94069a-13d8-4920-92da-bd7ec524cf17
Unpacked files
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/b233ec80-9bce-4017-9e6c-b72747fda361/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/b233ec80-9bce-4017-9e6c-b72747fda361/
SH256 hash:
ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
MD5 hash:
ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 hash:
9f9a14efc15c904f408a0d364d55a144427e4949
Link:
https://www.unpac.me/results/b233ec80-9bce-4017-9e6c-b72747fda361/
SH256 hash:
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
MD5 hash:
0f8e4992ca92baaf54cc0b43aaccce21
SHA1 hash:
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
Link:
https://www.unpac.me/results/b233ec80-9bce-4017-9e6c-b72747fda361/
SH256 hash:
e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76
MD5 hash:
8f43c7d7f86ea60e555629c30a0036c6
SHA1 hash:
e3eae764b5b7c4cf575985b29c142c4a5ef1b2b7
Link:
https://www.unpac.me/results/b233ec80-9bce-4017-9e6c-b72747fda361/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4101e4d3d1751da40d15684edeb8ace9ee86f562669cbbcee6d799cdb609c76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:exela
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked exela stealer malware samples.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10076/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments