MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e2b91d35f297b7cb34abe360a1df8ac37c08d3f6d776ecfe8a64e20692597ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 34 File information Comments

SHA256 hash: 1e2b91d35f297b7cb34abe360a1df8ac37c08d3f6d776ecfe8a64e20692597ac
SHA3-384 hash: 26b7b85ceff86710cbb240dad6d38502f1a1e25f12eb94634c55057c14826a3c35884ac88197d3ede70eea3d178ddab4
SHA1 hash: c027b95ec5deadaa61029eb5a6862b22c963d278
MD5 hash: 3d625ab0fb7e527f9f17050f94ba47bd
humanhash: apart-delta-zebra-grey
File name:download
Download: download sample
File size:79'800'099 bytes
First seen:2026-07-11 14:58:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 256f62cebbdf487a51266276ef16169b
ssdeep 1572864:0UD9SwhtDrZi1QJFl3jYyGFPZ+BqZkPgdYWChrj5X:t8mDrwSFl3j7w+BqZ7irj5X
TLSH T14308D043A6F1082DC562D232459B8232FB73B455133556EB734D03A23F77AA18FB6BA1
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter BlinkzSec

Intelligence


File Origin
# of uploads :
1
# of downloads :
70
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_1e2b91d35f297b7cb34abe360a1df8ac37c08d3f6d776ecfe8a64e20692597ac.exe
Verdict:
Malicious activity
Analysis date:
2026-07-11 15:00:34 UTC
Tags:
stealer discord auto-reg exastealer java ip-check evasion arch-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
obfuscate xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Restart of the analyzed sample
Creating a file
Running batch commands
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-22T13:02:00Z UTC
Last seen:
2026-07-12T12:58:00Z UTC
Hits:
~100
Detections:
Trojan-Banker.Win32.Express.sb Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb Trojan-Banker.Win32.ClipBanker.sb Trojan-Spy.Stealer.HTTP.C&C Trojan-Spy.Win32.Stealer.ftam Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb
Gathering data
Threat name:
Win64.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-06-22 17:52:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:attack_India
Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:detect_tiny_vbs
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Glasses
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:ldpreload
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:mht_inside_word
Author:dPhish
Description:Detect embedded mht files inside microsfot word.
Rule name:MoleBoxv20
Author:malware-lu
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:test_Malaysia
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:WHIRLPOOL_Constants
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:WinosStager
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:without_attachments
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1e2b91d35f297b7cb34abe360a1df8ac37c08d3f6d776ecfe8a64e20692597ac

(this sample)

  
Delivery method
Distributed via web download

Comments