MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a
SHA3-384 hash: 28d2640d20f6db6e3d6fa34c7bf8804cc8a9b0d9232bc4b694e3708fa7366ef5954feee4567a0d87fccd975513a42cfa
SHA1 hash: ed07c98ba1b34fc5dbad499d735ec3ed157be23f
MD5 hash: 1b2b6f087de910098c5cd98ed34ebf9d
humanhash: carpet-oven-eighteen-king
File name:FlameSoftware.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:30'902'497 bytes
First seen:2025-04-24 11:49:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (45 x BlankGrabber, 13 x CoinMiner, 9 x Efimer)
ssdeep 786432:6tIuqEuqpZUlRQW8KNfXTOAl8dPXsIKppeCMeXoCX1Pj75:6tIupuCWlRQWJPTjlmPZKppeCMe4CJj
TLSH T107673389775610D9D8FD383BA8C6D8228379F9D04BA0C6A6C7F02A6156731E6DE30773
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon d06869e8f070e9f0 (1 x PythonStealer)
Reporter BastianHein
Tags:exe PythonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
533
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FlameSoftware.exe
Verdict:
Malicious activity
Analysis date:
2025-04-24 11:52:09 UTC
Tags:
pyinstaller uac python upx
Link:
https://app.any.run/tasks/8a357d0a-1595-4c69-9294-033e1b4aa750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680a26c23d067f848398d45c
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Delayed reading of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy expand lolbin microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/680a2576833df795debc5a96/reports/6cc9153d-081a-40ec-9bb7-e7b87bd44c83/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a
Result
Threat name:
Python Stealer, Discord Token Stealer, P
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1672987
Signature
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Discord Token Stealer
Yara detected Generic Python Stealer
Yara detected PySilon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1672987 Sample: FlameSoftware.exe Startdate: 24/04/2025 Architecture: WINDOWS Score: 100 119 discord.com 2->119 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected PySilon Stealer 2->129 131 Yara detected Discord Token Stealer 2->131 133 3 other signatures 2->133 13 FlameSoftware.exe 1001 2->13         started        17 fsloader.exe 2->17         started        signatures3 process4 file5 103 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 13->103 dropped 105 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 13->105 dropped 107 C:\Users\user\AppData\Local\...\SDL2_ttf.dll, PE32+ 13->107 dropped 115 181 other files (6 malicious) 13->115 dropped 155 Adds a directory exclusion to Windows Defender 13->155 157 Writes many files with high entropy 13->157 19 FlameSoftware.exe 1 4 13->19         started        109 C:\Users\user\AppData\Local\...\_rust.pyd, PE32+ 17->109 dropped 111 C:\Users\user\AppData\Local\...\SDL2_ttf.dll, PE32+ 17->111 dropped 113 C:\Users\...\_imagingft.cp313-win_amd64.pyd, PE32+ 17->113 dropped 117 130 other files (3 malicious) 17->117 dropped 23 fsloader.exe 17->23         started        signatures6 process7 file8 91 C:\Users\user\fsloader\fsloader.exe, PE32+ 19->91 dropped 93 C:\Users\...\fsloader.exe:Zone.Identifier, ASCII 19->93 dropped 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->139 141 Adds a directory exclusion to Windows Defender 19->141 25 cmd.exe 19->25         started        28 powershell.exe 23 19->28         started        30 cmd.exe 1 19->30         started        32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        36 cmd.exe 23->36         started        38 3 other processes 23->38 signatures9 process10 signatures11 143 Uses cmd line tools excessively to alter registry or file data 25->143 40 fsloader.exe 25->40         started        50 3 other processes 25->50 145 Loading BitLocker PowerShell Module 28->145 44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 ComputerDefaults.exe 32->48         started        52 3 other processes 32->52 54 2 other processes 34->54 56 2 other processes 36->56 58 6 other processes 38->58 process12 file13 95 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 40->95 dropped 97 C:\Users\user\AppData\Local\...\SDL2_ttf.dll, PE32+ 40->97 dropped 99 C:\Users\user\AppData\Local\...\_rust.pyd, PE32+ 40->99 dropped 101 172 other files (5 malicious) 40->101 dropped 147 Adds a directory exclusion to Windows Defender 40->147 149 Writes many files with high entropy 40->149 60 fsloader.exe 40->60         started        64 fsloader.exe 48->64         started        151 UAC bypass detected (Fodhelper) 56->151 signatures14 process15 dnsIp16 121 162.159.128.233, 443, 49729, 49737 CLOUDFLARENETUS United States 60->121 123 162.159.135.232, 443, 49731, 49739 CLOUDFLARENETUS United States 60->123 125 4 other IPs or domains 60->125 153 Adds a directory exclusion to Windows Defender 60->153 67 powershell.exe 60->67         started        70 cmd.exe 60->70         started        83 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 64->83 dropped 85 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 64->85 dropped 87 C:\Users\user\AppData\Local\...\SDL2_ttf.dll, PE32+ 64->87 dropped 89 192 other files (6 malicious) 64->89 dropped 72 fsloader.exe 64->72         started        file17 signatures18 process19 signatures20 135 Loading BitLocker PowerShell Module 67->135 74 conhost.exe 67->74         started        76 conhost.exe 70->76         started        137 Adds a directory exclusion to Windows Defender 72->137 78 powershell.exe 72->78         started        process21 signatures22 159 Loading BitLocker PowerShell Module 78->159 81 conhost.exe 78->81         started        process23
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a
Gathering data
Threat name:
Win64.Infostealer.PySpy
Create hunting rule
Status:
Malicious
First seen:
2025-04-22 20:07:40 UTC
File Type:
PE+ (Exe)
Extracted files:
3605
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aa7gag2nod4kexvayh5lkjkwvisnaams3ensznoffblz6rkioava._file
Result
Malware family:
pysilon
Create hunting rule
Score:
  10/10
Tags:
family:pysilon defense_evasion execution persistence pyinstaller upx
Link:
https://tria.ge/reports/250424-ny3hmayxgx/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Enumerates VirtualBox DLL files
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/852ac2c0-9fbb-4345-8d76-cdd01d667aed
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments