MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0
SHA3-384 hash: bf7cfc766e34ea1c611f4691a4d1e48b4dd9481c01a72979514c789fedb7fbb77f3daead2bd4e277105d820f26d15c41
SHA1 hash: dd9cf4b20bdf9389a947e61cdb4ab6a17d82cf8b
MD5 hash: b78e69c90b101da3612dce472f084bb5
humanhash: comet-beryllium-sixteen-vermont
File name:Update.exe
Download: download sample
File size:17'399'170 bytes
First seen:2025-05-12 03:32:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (45 x BlankGrabber, 13 x CoinMiner, 9 x Efimer)
ssdeep 393216:fP+bFQuF113vY5WJVwJ6uC0XV/eiY/PLoOO797g:fqTn3vYWJqlCAVS/PL47N
TLSH T16B07331C639811F6FDEAE53E15729C71CA687E070B97C1EF82B8D1942D233C16639A72
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter FeeDataExceptio
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Update.exe
Verdict:
Suspicious activity
Analysis date:
2025-05-12 03:37:47 UTC
Tags:
python
Link:
https://app.any.run/tasks/4f1b386b-0b1f-4786-a3fd-6ed69823baa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Ransom.Qilra.1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68216d684a59e5a2ce03cd47
Tags:
installer extens virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Delayed reading of the file
DNS request
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68216bfcd95f3e34e9669f1e/reports/da6e20f1-7250-4dc7-a51f-769ea298d89b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cc4cbb4f-2bbf-4ffa-ae2d-530dcf5b278c
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1687394
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses the Telegram API (likely for C&C communication)
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-12 03:33:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1344
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gh3mrcabl56i4w5awnzpqew3d2livzqbzo7tw7njwy3jtolphkya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/250512-d4a1fsxvdx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0046a34b-30a3-4d74-9375-ff7029970a1a
Unpacked files
SH256 hash:
31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0
MD5 hash:
b78e69c90b101da3612dce472f084bb5
SHA1 hash:
dd9cf4b20bdf9389a947e61cdb4ab6a17d82cf8b
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4
MD5 hash:
090f55321224c4bb65d9b9d99045ac89
SHA1 hash:
e28591421fa4464ed4b31e31f66b6dd6db051c84
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
90ba935a0145ee9ae56267a365cc0088d34fa506b7afeb2bd1bd78cd33359605
MD5 hash:
7b4bd20267c93e35c49c32aad05b6b15
SHA1 hash:
860a10d04c8764f540ed34cf08e06f32b7b37611
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
MD5 hash:
ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 hash:
9f9a14efc15c904f408a0d364d55a144427e4949
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
MD5 hash:
0f8e4992ca92baaf54cc0b43aaccce21
SHA1 hash:
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
SH256 hash:
fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51
MD5 hash:
d6dfb6a9518a57e180980f7a07098d7d
SHA1 hash:
6026120461f5cbcd9255670b6a906fd8f5329073
Link:
https://www.unpac.me/results/3e08169d-1298-488b-a650-5a4bcf325f47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31f6c888015f7c8e5ba0b372f812db1e968ae601cbbf3b7da9b63699b96f3ab0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments