MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DiskWriter

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554
SHA3-384 hash:	4a40d7b8764c82f8318adfc5c09196776d7851ad446d5dafb1f5ce7cd3a2764454e2f88e8ec32523989afd6ceb4d98cc
SHA1 hash:	72942bf9a4c5a22d9a63648e4166796350b6632e
MD5 hash:	efef3779520468d334430643526a5149
humanhash:	nine-sodium-dakota-oklahoma
File name:	SRD3MOD3.exe
Download:	download sample
Signature	DiskWriter Create hunting rule
File size:	22'206'411 bytes
First seen:	2025-09-06 23:18:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c990338f8145dc29c6f38fb73cf05c77 (58 x BlankGrabber, 7 x PythonStealer, 5 x DiscordTokenStealer)
ssdeep	393216:7W0OXMCHWUjuLLsKHhWbgKj5xOvsa8fmE+MfU9erRQ7XbFsn6ggAaQbLvPMxQ1BO:78XMb8uLLsKMMo5ovsVuX+U9erRQ766z
TLSH	T1A427334963B02465FA53863EC6F1D819C96ABD2227B0C5CFC7DC61330E934E66A3DB91
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	c6c2ccc4f4e0e0f8 (47 x PythonStealer, 26 x CoinMiner, 24 x SVCStealer)
Reporter	AntiSkidding
Tags:	DiskWriter exe gdi Python Skidware

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SRD3MOD3.exe

Verdict:

Malicious activity

Analysis date:

2025-09-06 23:19:18 UTC

Tags:

python pyinstaller

Link:

https://app.any.run/tasks/adf82e4c-0cd8-4b3b-bbd1-dee4bd91383c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26043/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bcc14deb163e0ec1852ccc

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

Creating a process with a hidden window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Blocking a possibility to launch for the Windows Task Manager (taskmgr)

Rewriting of the hard drive's master boot record

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller threat

Link:

https://www.filescan.io/uploads/68bcc14d37c25fcf12d5e0e1/reports/d6085007-1ecd-4350-a0ba-fa2bbddf408b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-06T20:31:00Z UTC

Last seen:

2025-09-06T20:31:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/efef3779520468d334430643526a5149

Gathering data

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2025-09-06 23:19:32 UTC

File Type:

PE+ (Exe)

Extracted files:

866

AV detection:

10 of 38 (26.32%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a254x5yaylwtlr62m5yrdscqj6tdwuaagdh2vnzhmhmehbf3cvka._file

Verdict:

suspicious

Label(s):

admintool_plink

Similar samples:

error

DiskWriter

Result

Malware family:

n/a

Score:

8/10

Tags:

bootkit defense_evasion persistence pyinstaller

Link:

https://tria.ge/reports/250906-3ah7easky9/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Disables Task Manager via registry modification

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/10e48e58-362c-4796-8d9c-ff5e58f16c83

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/06bbcbf700c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/06bbcbf700c2ed35c7da677111c8504fa63b500030cfaab72761d84384bb1554

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26043/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample