MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Expiro

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e
SHA3-384 hash:	e9f11f00d0f8b7fae196956baa24f2143a04e4c8b4ecd64e5d7f8899ad0f21ea38d246ede7bdbb248e33525906a57e86
SHA1 hash:	4e6c04bd311d100e0c98ca42e60266983c638c7b
MD5 hash:	cb66156af405d734dba0415b73a8f016
humanhash:	king-oklahoma-failed-carbon
File name:	22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e
Download:	download sample
Signature	Expiro Create hunting rule
File size:	1'523'712 bytes
First seen:	2026-06-04 13:42:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	774af14df25813dca3a4f7854d0cfc88 (1 x Expiro)
ssdeep	24576:qfYNHw/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:qfYtwLNiXicJFFRGNzj3
TLSH	T18265F12F62AD18E4E57B913DCA828109F2727C66171196DF01A0827E1F27FE9BD3E741
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	EnthecSolutions
Tags:	enthec exe Expiro PE

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-06-04 13:42:50 UTC

Tags:

m0yv

Link:

https://app.any.run/tasks/91ae51f2-c503-4191-934f-c795144ac112

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68990/

Detection(s):

SecuriteInfo.com.Win32.Expiro-3.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2180f857b7bf261d60d552

Tags:

expiro virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug microsoft_visual_cc

Link:

https://www.filescan.io/uploads/6a2180f5e05d89b36140a2f2/reports/166fe171-efcc-4630-8cf0-72c9d1710e19/overview

Verdict:

Malicious

Labled as:

Win64.Expiro.Generic

Link:

https://www.hybrid-analysis.com/sample/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-05T18:50:00Z UTC

Last seen:

2026-05-05T19:03:00Z UTC

Hits:

~10

Detections:

Virus.Win64.Moiva.a

Link:

https://opentip.kaspersky.com/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e/results?tab=lookup

Malware family:

Expiro

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ccb167d-63d8-4bf8-a479-92a8a5f9c652

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e/

Verdict:

Malicious

Threat:

Family.M0YV

Link:

https://tip.neiki.dev/file/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e

Threat name:

Win64.Virus.Expiro

Status:

Malicious

First seen:

2026-05-05 19:31:35 UTC

File Type:

PE+ (Exe)

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eldu4tvokjkt5c7bzylym2d6qbbvcckm47k5x7y3w22zwvumhb7a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260604-q1dcmagw6q/

Unpacked files

SH256 hash:

22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e

MD5 hash:

cb66156af405d734dba0415b73a8f016

SHA1 hash:

4e6c04bd311d100e0c98ca42e60266983c638c7b

Detections:

triage_expiro_worm

Link:

https://www.unpac.me/results/933dbf48-aca3-4336-b9da-8f614cc83f3f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22c74e4eae52553e8be1ce1786687e804351094ce7d5dbff1bb6b59b568c387e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68990/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample