MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2
SHA3-384 hash: 7c8ad2c0609b89dd139ace909a5206eb06f3cbe140de52b05861fc048daa0b715cb2abc576aab3ddaa73f239cf472cc7
SHA1 hash: bf66bc0e94d75690f40a47c559a7e482a02397d5
MD5 hash: 46839a55602af9fb5ef1479e13ae1337
humanhash: floor-enemy-tennessee-juliet
File name:svchost.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:18'247'560 bytes
First seen:2026-06-03 20:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c34ae6746479dcbcc53703921362989a (1 x PythonStealer)
ssdeep 393216:oRgJsZDng62C24hPgxT3egix3YF7xGy+s7y+oErn+T:SisZc62P4Rg+YiPyr+T
TLSH T11807334A66F5E53DF3139870BAC46BD8673070C65B1683A711B2C1B41C5B8B49F3A8FA
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter smica83
Tags:exe PythonStealer signed

Code Signing Certificate

Organisation:MicroFemboychik
Issuer:MicroFemboychik
Algorithm:sha1WithRSA
Valid from:2026-06-03T02:45:54Z
Valid to:2039-12-31T23:59:59Z
Serial number: 6eb3a7eef4cdf5bf405118819d3fa0eb
Thumbprint Algorithm:SHA256
Thumbprint: 95cbdd51718f98f37b63c6ea178c4f8f4bb446b5aa86d44b95866873c2be2f71
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-03 20:15:26 UTC
Tags:
evasion auto-reg python ip-check openssl tool rust
Link:
https://app.any.run/tasks/f50f45d2-4550-47c9-87c9-7e2b879096b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68913/
Detection(s):
PUA.Win.Packer.Nuitka-9992781-0
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a208b2757b7bf261d60a9e0
Tags:
vmdetect extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
DNS request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug base64 expand lolbin nuitka obfuscated packed packed reconnaissance signed
Link:
https://www.filescan.io/uploads/6a208b2112da0d249c6398de/reports/645bb9e5-435c-4bf3-a429-84862cbcdb7b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-03T02:56:00Z UTC
Last seen:
2026-06-04T10:36:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Sysn.ddmq PDM:Trojan.Win32.Generic Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1922535
Signature
AI detected suspicious PE digital signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922535 Sample: svchost.exe Startdate: 03/06/2026 Architecture: WINDOWS Score: 72 46 wqekkfdjsdfaasdfjkbwefb.io 2->46 48 api.ipify.org 2->48 58 Multi AV Scanner detection for submitted file 2->58 60 Sigma detected: System File Execution Location Anomaly 2->60 62 AI detected suspicious PE digital signature 2->62 64 2 other signatures 2->64 9 svchost.exe 48 2->9         started        12 svchost.exe 48 2->12         started        14 svchost.exe 48 2->14         started        signatures3 process4 file5 40 39 other files (none is malicious) 9->40 dropped 16 svchost.exe 9->16         started        28 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 12->28 dropped 30 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 12->30 dropped 32 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 12->32 dropped 42 36 other files (none is malicious) 12->42 dropped 19 svchost.exe 1 12->19         started        34 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 14->34 dropped 36 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 14->36 dropped 38 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 14->38 dropped 44 36 other files (none is malicious) 14->44 dropped 22 svchost.exe 14->22         started        process6 dnsIp7 56 System process connects to network (likely due to code injection or exploit) 16->56 50 193.70.34.25, 20224, 49708, 49713 OVHFR France 19->50 52 api.ipify.org 104.26.13.205, 443, 49707, 49712 CLOUDFLARENET-CloudflareIncUS Canada 19->52 54 127.0.0.1 unknown unknown 19->54 24 cmd.exe 1 19->24         started        signatures8 process9 process10 26 conhost.exe 24->26         started       
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-06-03 07:43:38 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejekoh6i5eokmtxlfqy7secnenzgtxgmwtwxr4ka5bm6voxbz3ra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260603-yz6lsae16p/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2
MD5 hash:
46839a55602af9fb5ef1479e13ae1337
SHA1 hash:
bf66bc0e94d75690f40a47c559a7e482a02397d5
Link:
https://www.unpac.me/results/a3acb396-ae5e-47c4-8da1-3891e9a46a44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68913/

Comments