MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
SHA3-384 hash: b5c07d5aa0edddb907f9273d811d62e9737a19f79e1c08a74b4e2272d5c5b2e1f03173887764f07e721911a56b03792f
SHA1 hash: ca8c0f22a994b8d8656afaef369a2a9d861259ed
MD5 hash: 30325aec283324a4d1d89c30fe4d8f93
humanhash: princess-five-foxtrot-rugby
File name:3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
Download: download sample
File size:1'176'576 bytes
First seen:2026-06-06 23:17:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7678b7862d40d5ac38768f5f18beffb1
ssdeep 24576:w3HPW4Yy7Nt52XJqQ5egYwlVOuzSpFcsDtttt5k6SZQbNyBo4kx929bL3Hnx:yW4Yy7Nt52Xne1wlV9G0sDttttWBB+kh
TLSH T13745D013F3A796B9C566C2788AB2C726E7B4B84513214ACB569097793F237E0273F341
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter EnthecSolutions
Tags:enthec exe PE

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
CA CA
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69401/
Detection(s):
SecuriteInfo.com.Win32.Expiro-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a24aac663a4889c1afa3075
Tags:
expiro
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto hacktool microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6a24aac177463968d61afb7d/reports/6405ff15-2035-4dd6-ae4d-d2cd76dc6e40/overview
Verdict:
Malicious
Labled as:
Win64.Expiro.Generic
Link:
https://www.hybrid-analysis.com/sample/3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
Verdict:
Malicious
File Type:
sys x64
First seen:
2026-05-04T22:59:00Z UTC
Last seen:
2026-05-04T23:26:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f/results?tab=lookup
Malware family:
Expiro
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f7b59b3-0d4d-4a1f-8b0f-fbb48f6ba099
Score:
38%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f/
Verdict:
Malicious
Threat:
Virus.Win64.Moiva
Link:
https://tip.neiki.dev/file/3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
Threat name:
Win64.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2026-05-05 00:58:37 UTC
File Type:
PE+ (Sys)
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3rtfhr3rahh7koyt3ikkz274wimdssah2sfcxsdzw533lqz3vpq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260606-3agctadz5s/
Unpacked files
SH256 hash:
3ee3329e3b880e7fa9d89ed0a5675fe590c1ca403ea4515e43cdbbbdae19dd5f
MD5 hash:
30325aec283324a4d1d89c30fe4d8f93
SHA1 hash:
ca8c0f22a994b8d8656afaef369a2a9d861259ed
Detections:
triage_expiro_worm
Create hunting rule
Link:
https://www.unpac.me/results/e712f9cd-2939-473a-8631-7de8e49eaa4c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69401/

Comments