MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d
SHA3-384 hash:	df182d0380a9bb537ac37885a3e1425c48cb77e48c948cbb82fde835b7ba4859d9c2aa2056a0dd649e2d0c7a0be25129
SHA1 hash:	f3bab80cd8ddf3bf17c225b0ab2e2bb46079a25a
MD5 hash:	65a7938b2286f32dc941f6a6f5d3465d
humanhash:	maine-whiskey-stairway-fix
File name:	65a7938b2286f32dc941f6a6f5d3465d
Download:	download sample
File size:	19'291'319 bytes
First seen:	2026-06-22 08:01:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dcaf48c1f10b0efa0a4472200f3850ed (60 x BlankGrabber, 31 x Efimer, 22 x NetSupport)
ssdeep	393216:785vzasFl7dCR1C99OXr8Lg5lQbZklOIl2lInEroX314S2kIn8vaxbc50BcPmT1S:I5vzJFlUR1OOb8aQQLErUqkWMaxA50Bu
TLSH	T11717335067E018BBDAF65A7AC036E16891A2B4124B81C1EF5BFCD31A5F6B7E03D38D05
TrID	70.9% (.EXE) InstallShield setup (43053/19/16) 10.7% (.EXE) Win64 Executable (generic) (6522/11/2) 8.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.3% (.EXE) OS/2 Executable (generic) (2029/13) 3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adrian__luca
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PyInstaller

Details

Link:

https://research.acce.ciphertechsolutions.com/results/891f76ab-e988-4d36-9c4a-2a7ad2236a45/

Malware family:

n/a

ID:

File name:

exe

Verdict:

No threats detected

Analysis date:

2026-06-22 08:27:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0765a4ad-0ecd-4a62-8d76-fdd85f923f9d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71497/

Detection(s):

SecuriteInfo.com.Python.Packed.104-3.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a38ed1a86bc95245bf8900c

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

Creating a process with a hidden window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Loading a suspicious library

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug expand lolbin microsoft_visual_cc overlay packed packed pyinstaller reconnaissance

Link:

https://www.filescan.io/uploads/6a38ec9e31dc626703eb8d6b/reports/b7a1cd2e-e2da-45df-86d9-39a85bef8ec5/overview

Verdict:

Malicious

Labled as:

Stealer.Generic

Link:

https://www.hybrid-analysis.com/sample/3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-22T05:50:00Z UTC

Last seen:

2026-06-23T23:27:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Inject.sb HEUR:Trojan-PSW.Python.Agent.gen

Link:

https://opentip.kaspersky.com/3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d/

Verdict:

Malicious

Threat:

Trojan-PSW.Python.Agent

Link:

https://tip.neiki.dev/file/3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-06-22 08:13:01 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hwfac7dtzqxnuury6ciqablqrxarjxkkc2srcm44rujaogvz2i6q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/260622-jzdtfaas8p/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d

MD5 hash:

65a7938b2286f32dc941f6a6f5d3465d

SHA1 hash:

f3bab80cd8ddf3bf17c225b0ab2e2bb46079a25a

Link:

https://www.unpac.me/results/0652d90c-1fe6-4a2c-b841-4d2fb474cc41/

SH256 hash:

04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

MD5 hash:

7667b0883de4667ec87c3b75bed84d84

SHA1 hash:

e6f6df83e813ed8252614a46a5892c4856df1f58

Link:

https://www.unpac.me/results/0652d90c-1fe6-4a2c-b841-4d2fb474cc41/

SH256 hash:

8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

MD5 hash:

a5471f05fd616b0f8e582211ea470a15

SHA1 hash:

cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

Link:

https://www.unpac.me/results/0652d90c-1fe6-4a2c-b841-4d2fb474cc41/

SH256 hash:

bcc45438a09e089fde486642352242992429085e677c06026cafac17f3e6c3b8

MD5 hash:

db456d5f857cff4e0630391f86867588

SHA1 hash:

c7f6de245bde4363908c1c20af26e3dd6b145a94

Link:

https://www.unpac.me/results/0652d90c-1fe6-4a2c-b841-4d2fb474cc41/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3d8a017c73cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 3d8a017c73cc2eda5238f0910005708dc114dd4a16a511339c8d12071ab9d23d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/71497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample