MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20175164f65e166c5fd9fbd90fb6d2f44a0202621fa84d772a500e140704ee03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash: 20175164f65e166c5fd9fbd90fb6d2f44a0202621fa84d772a500e140704ee03
SHA3-384 hash: e7889a79b629704d4729475677f7f4b06556ae24a9629487b2e0464675c2437b493cac7fbc4ff5d153ced2433689cd74
SHA1 hash: 23e1e21bef9468ff828608102aa2ee1973658947
MD5 hash: 64b60010cc156309516057415e2eb462
humanhash: spaghetti-eight-orange-missouri
File name:64b60010cc156309516057415e2eb462
Download: download sample
File size:19'291'319 bytes
First seen:2026-06-22 08:01:25 UTC
Last seen:2026-07-06 09:06:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (142 x Efimer, 60 x BlankGrabber, 22 x NetSupport)
ssdeep 393216:785vzasFl7dCR1C99OXr8Lg5lQbZklOIl2lInEroX314S2kIn8vaxbc50BcPmT1q:I5vzJFlUR1OOb8aQQLErUqkWMaxA50BO
TLSH T10217335067E018BBDAF65A7AC036E16891A2B4124B81C1EF5BFCD31A5F6B7E03D38D05
TrID 70.9% (.EXE) InstallShield setup (43053/19/16)
10.7% (.EXE) Win64 Executable (generic) (6522/11/2)
8.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.3% (.EXE) OS/2 Executable (generic) (2029/13)
3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe

Intelligence


File Origin
# of uploads :
3
# of downloads :
114
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
Malware family:
n/a
ID:
1
File name:
_20175164f65e166c5fd9fbd90fb6d2f44a0202621fa84d772a500e140704ee03.exe
Verdict:
No threats detected
Analysis date:
2026-06-22 08:16:43 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expand lolbin microsoft_visual_cc overlay packed packed pyinstaller reconnaissance
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-22T05:30:00Z UTC
Last seen:
2026-06-23T23:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Inject.sb HEUR:Trojan-PSW.Python.Agent.gen
Gathering data
Threat name:
Win64.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-06-22 08:08:53 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
20175164f65e166c5fd9fbd90fb6d2f44a0202621fa84d772a500e140704ee03
MD5 hash:
64b60010cc156309516057415e2eb462
SHA1 hash:
23e1e21bef9468ff828608102aa2ee1973658947
SH256 hash:
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
MD5 hash:
7667b0883de4667ec87c3b75bed84d84
SHA1 hash:
e6f6df83e813ed8252614a46a5892c4856df1f58
SH256 hash:
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790
MD5 hash:
a5471f05fd616b0f8e582211ea470a15
SHA1 hash:
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e
SH256 hash:
bcc45438a09e089fde486642352242992429085e677c06026cafac17f3e6c3b8
MD5 hash:
db456d5f857cff4e0630391f86867588
SHA1 hash:
c7f6de245bde4363908c1c20af26e3dd6b145a94
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:telebot_framework
Author:vietdx.mb
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 20175164f65e166c5fd9fbd90fb6d2f44a0202621fa84d772a500e140704ee03

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments