MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773
SHA3-384 hash: 39583874c02cd8b222cf30ae85933d771e474e680604a69e86dfe54801ba8d4d1c9b147ccfa0d56ae7be80dfbc65bf1d
SHA1 hash: 2fe67e3e4be784a157dfe746e4ba94ae661c9307
MD5 hash: 690260a9f9f718ed30af33b95134e845
humanhash: king-four-seven-eight
File name:AiolosClient.exe
Download: download sample
File size:75'461'333 bytes
First seen:2026-05-01 17:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (566 x GuLoader, 122 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 1572864:MejOS3EBGv9GxAQNZcFr1dFW+kSnChwzVjujjlXeE7:MytQDm1dzkSCWFujjluE7
TLSH T17CF7339F8ED64161E2EE47B7E3F139580438F7010F217C16699B2E8ABB24D4CE5EB158
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e0c42bdcf0718ce0
Reporter smica83
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-05-01 17:04:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd3ce3ff-f0e3-4221-b79f-5b4f2d79ed9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto installer installer installer-heuristic microsoft_visual_cc nsis
Link:
https://www.filescan.io/uploads/69f4dcafdf14f1cb2ac7bcb3/reports/e6c450f6-edfc-4b5e-9b44-04350867dd05/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773
Verdict:
Clean
File Type:
exe x32
Link:
https://opentip.kaspersky.com/0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1907396
Signature
Antivirus detection for dropped file
Drops large PE files
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907396 Sample: AiolosClient.exe Startdate: 01/05/2026 Architecture: WINDOWS Score: 100 91 ip-api.com 2->91 93 drazygang.space 2->93 95 api.drazygang.space 2->95 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Sigma detected: Drops script at startup location 2->103 10 AiolosClient.exe 2002 2->10         started        13 AiolosClient.exe 2->13         started        15 WinDefUpdate.exe 2->15         started        signatures3 process4 file5 77 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->77 dropped 79 C:\Users\user\AppData\Local\...\System.dll, PE32 10->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\cli.js, a 10->81 dropped 83 62 other malicious files 10->83 dropped 17 AiolosClient.exe 10->17         started        process6 dnsIp7 85 ip-api.com 208.95.112.1, 49700, 49705, 80 TUT-ASUS United States 17->85 87 api.drazygang.space 104.21.40.19, 443, 49708, 49710 CLOUDFLARENETUS United States 17->87 89 drazygang.space 172.67.174.131, 49701, 49702, 49706 CLOUDFLARENETUS United States 17->89 69 C:\Users\user\AppData\...\WinDefUpdate.exe, PE32+ 17->69 dropped 71 C:\Users\user\AppData\Local\...\payload.exe, PE32+ 17->71 dropped 73 C:\Users\user\AppData\Local\Temp\bps.exe, PE32+ 17->73 dropped 75 C:\Users\user\AppData\...\WinDefUpdate.url, MS 17->75 dropped 105 Suspicious powershell command line found 17->105 107 Uses cmd line tools excessively to alter registry or file data 17->107 109 Tries to harvest and steal browser information (history, passwords, etc) 17->109 111 3 other signatures 17->111 22 cmd.exe 17->22         started        25 cmd.exe 17->25         started        27 cmd.exe 17->27         started        29 49 other processes 17->29 file8 signatures9 process10 dnsIp11 115 Suspicious powershell command line found 22->115 117 Uses cmd line tools excessively to alter registry or file data 22->117 119 Uses schtasks.exe or at.exe to add and modify task schedules 22->119 121 Uses attrib.exe to hide files 22->121 32 tasklist.exe 22->32         started        34 conhost.exe 22->34         started        123 Uses WMIC command to query system information (often done to detect virtual machines) 25->123 36 WMIC.exe 25->36         started        39 conhost.exe 25->39         started        41 reg.exe 27->41         started        43 conhost.exe 27->43         started        97 chrome.cloudflare-dns.com 172.64.41.3, 443, 49709 CLOUDFLARENETUS United States 29->97 45 conhost.exe 29->45         started        47 tasklist.exe 29->47         started        49 68 other processes 29->49 signatures12 process13 signatures14 51 Conhost.exe 32->51         started        113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->113 53 Conhost.exe 41->53         started        55 Conhost.exe 45->55         started        57 Conhost.exe 45->57         started        59 Conhost.exe 47->59         started        61 Conhost.exe 49->61         started        63 Conhost.exe 49->63         started        65 Conhost.exe 49->65         started        67 5 other processes 49->67 process15
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/0a460aef2c3afb368cd33afa662ce37a7578fc5710b58c4d1fcd1aeb4ea28773
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjdav3zmhl5tndgthl5gmlhdpj2xr7cxcc2yyti7zunowtvcq5zq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/260501-vkfv2adz5k/
Behaviour
Checks processor information in registry
Detects videocard installed
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments