MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81
SHA3-384 hash: 2b412c009e12d9c8d1f63d73707cc845cd34cbed0780b50ba5fac643b77fc2765833cd4ed790b53a58bb21159340301d
SHA1 hash: c9f5f4833ff133a4a5ce7a91876d10814985a940
MD5 hash: cb2c1d5feeb55da27ec563012eb2ea44
humanhash: nineteen-quiet-florida-sixteen
File name:AppVShNotify.exe.bin
Download: download sample
Signature Expiro
Create hunting rule
File size:1'388'544 bytes
First seen:2025-01-30 12:13:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bdec22e8cbcc3e2ab7f98315a0cc9543 (1 x Expiro)
ssdeep 12288:uwkNKiZ+R2GGNUbTNwXXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:uzNKUQwXsqjnhMgeiCl7G0nehbGZpbD
Threatray 71 similar samples on MalwareBazaar
TLSH T10355DF7BDD28FCE1C67E9CB98791C700DA623931475192CBD2B5819ACE132E09E79C26
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Expiro NEOFX Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BONIFICI CONFIRMATIONS.GZ
Verdict:
Malicious activity
Analysis date:
2025-01-30 12:03:37 UTC
Tags:
delphi auto generic m0yv sinkhole snake keylogger evasion stealer smtp netreactor
Link:
https://app.any.run/tasks/3f98f538-c0a9-4d58-ba31-a843c2d53d35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Expiro-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b6eb629ae628cf42b9be0
Tags:
shellcode expiro trojan virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Connection attempt to an infection source
Launching a process
Loading a system driver
Modifying a system file
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm masquerade microsoft_visual_cc
Link:
https://www.filescan.io/uploads/679b6d157d511d7c1faa0559/reports/b4b77f22-a09f-4f93-8872-9b8165422eaa/overview
Verdict:
Malicious
Labled as:
Win64.Expiro.Generic
Link:
https://www.hybrid-analysis.com/sample/2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49d20b86-1195-4f2f-bc57-53061052ddc3
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603009
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603009 Sample: AppVShNotify.exe.bin.exe Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 25 zlenh.biz 2->25 27 xlfhhhm.biz 2->27 29 24 other IPs or domains 2->29 41 Suricata IDS alerts for network traffic 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus detection for dropped file 2->45 47 6 other signatures 2->47 6 AppVShNotify.exe.bin.exe 1 2->6         started        11 alg.exe 1 2->11         started        13 TieringEngineService.exe 2->13         started        15 19 other processes 2->15 signatures3 process4 dnsIp5 31 gytujflc.biz 208.117.43.225, 56674, 80 STEADFASTUS United States 6->31 33 fwiwk.biz 72.52.178.23, 49711, 49719, 56654 LIQUIDWEBUS United States 6->33 39 9 other IPs or domains 6->39 17 C:\Windows\System32\wbengine.exe, PE32+ 6->17 dropped 19 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 6->19 dropped 21 C:\Windows\System32\vds.exe, PE32+ 6->21 dropped 23 150 other malicious files 6->23 dropped 49 Drops executable to a common third party application directory 6->49 51 Infects executable files (exe, dll, sys, html) 6->51 53 Found direct / indirect Syscall (likely to bypass EDR) 6->53 35 xlfhhhm.biz 47.129.31.212, 56392, 56396, 80 ESAMARA-ASRU Canada 11->35 37 qaynky.biz 13.251.16.150, 56393, 56394, 56397 AMAZON-02US United States 11->37 55 Creates files in the system32 config directory 11->55 57 Contains functionality to behave differently if execute on a Russian/Kazak computer 11->57 59 Creates files inside the volume driver (system volume information) 13->59 file6 signatures7
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81/
Threat name:
Win64.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 12:09:01 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkjdzcmotwgq6f3fsh26myqyhwl6n76x2wvhiga3vpo6ltfcv2aq._file
Verdict:
malicious
Label(s):
expiro
Create hunting rule
Similar samples:
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
Expiro
5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
Expiro
77fff1c59aace50f9bbb9184b1086cccb57df0cb5d3b10589a9b6b91283aa719
Expiro
8ddfda62decd6de3185b1ec3bebe067a20a124a39f8483afa9bbc47b3f3d0c09
Expiro
9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
Expiro
9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
Expiro
b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
Expiro
ec01b76e956bceeec02a2bf5004ec837639562729f5ea4fd61f2f9f1ea0e803f
Expiro
ed0b66043d5223c79f2206468bd12d369d933e0db2234508702ce7402579835f
Expiro
error
Expiro
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/250130-pea5psspcp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
expiro
YARA:
n/a
Link:
https://app.threat.zone/submission/050482e4-18ba-48cd-8ba7-404890ad8364
Unpacked files
SH256 hash:
2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81
MD5 hash:
cb2c1d5feeb55da27ec563012eb2ea44
SHA1 hash:
c9f5f4833ff133a4a5ce7a91876d10814985a940
Link:
https://www.unpac.me/results/60f22d1b-d812-4c06-8a66-6312a00409e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetSidLengthRequired
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::GetTokenInformation
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcBindingInqAuthClientW
RPCRT4.dll::RpcImpersonateClient
RPCRT4.dll::RpcRevertToSelf
RPCRT4.dll::RpcServerListen
RPCRT4.dll::RpcServerRegisterAuthInfoW
RPCRT4.dll::RpcServerRegisterIf2
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorControl
ADVAPI32.dll::GetSecurityDescriptorDacl
ADVAPI32.dll::GetSecurityDescriptorGroup
ADVAPI32.dll::GetSecurityDescriptorOwner
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
KERNEL32.dll::CreateThreadpoolCleanupGroup
KERNEL32.dll::CreateThreadpool
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsapi-ms-win-crt-private-l1-1-0.dll::_o__get_wide_winmain_command_line

Comments