MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc
SHA3-384 hash:	f0759c8c6d062726ae6ba97b30b5dc3510f9d38d35497b0358c082d42ad15b9fd91dbf12d62895f31b5f5603c50cdc2a
SHA1 hash:	d8f82b0226da982691a5fca1cfad6ace9f3720d9
MD5 hash:	d2ec42da5bd30344bff6d58f381eb4d2
humanhash:	fix-dakota-apart-juliet
File name:	WinDataOptimizer.exe
Download:	download sample
File size:	10'293'035 bytes
First seen:	2026-02-13 21:57:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dcaf48c1f10b0efa0a4472200f3850ed (58 x BlankGrabber, 26 x Efimer, 22 x NetSupport)
ssdeep	196608:chsqlGN6pbRStbW897GDr/x7eovq5XMP6PzFcsWpHsoqrUbRjMF+:PqhRS1yNdq1B7LWpHsoqwbpi+
TLSH	T14DA6338553D104F2E9A7A13D56A29492C273B5256F32D8AF0BA4835E3F673F24D3BB40
TrID	66.6% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	c6c2ccc4f4e0e0f8 (48 x PythonStealer, 27 x SVCStealer, 26 x CoinMiner)
Reporter	Ling
Tags:	exe Malgent Trojan:Win64/Malgent!MSR

CNGaoLing

This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win64/Malgent!MSR)

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PyInstaller

Details

PyInstaller

a compiled assembly and a Python version

Link:

https://research.acce.ciphertechsolutions.com/results/350240f6-b525-47cb-9f08-0ac530bedeb6/

Malware family:

n/a

ID:

File name:

WinDataOptimizer.exe

Verdict:

No threats detected

Analysis date:

2026-02-13 18:02:01 UTC

Tags:

python

Link:

https://app.any.run/tasks/a9e6a2f2-f6f2-4794-89a6-a8c7ac2b2aa9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53308/

Detection(s):

SecuriteInfo.com.Python.Packed.104.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698eeb1476589225f6664126

Tags:

installer extens sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller virus

Link:

https://www.filescan.io/uploads/698f9e75930564ff3ca04139/reports/17805934-6443-440a-a2ba-1769679d6c31/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-02-13T06:01:00Z UTC

Last seen:

2026-02-13T12:09:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Agent.xccoum Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-Ransom.Win32.Encoder.sb Trojan-Ransom.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc/results?tab=lookup

Malware family:

LogMeIn

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/07921d55-cca2-4a49-ad4e-4901cccd4332

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/d2ec42da5bd30344bff6d58f381eb4d2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc/

Verdict:

Malicious

Threat:

Trojan-Ransom.Win32.Encoder

Link:

https://tip.neiki.dev/file/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

Threat name:

Win64.Trojan.Malgent

Status:

Malicious

First seen:

2026-02-13 09:12:22 UTC

File Type:

PE+ (Exe)

Extracted files:

523

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecnkxbevajnbahhvdbf7pzvlf7nyhlfftmmxdjdcnhy5eru2itoa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/260213-1vkjvshs2d/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Unpacked files

SH256 hash:

209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

MD5 hash:

d2ec42da5bd30344bff6d58f381eb4d2

SHA1 hash:

d8f82b0226da982691a5fca1cfad6ace9f3720d9

Link:

https://www.unpac.me/results/f72e7094-6f26-459b-b812-c0373b15b15c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/209aab849502/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 209aab8495025a101cf5184bf7e6ab2fdb83aca59b1971a46269f1d2469a44dc

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/53308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample