MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916
SHA3-384 hash:	9e7c28b830e9aba8bd143bf332fdf01c87bda8d1249bd746678e9396dcbef2d148b96af6eb077a05aa0edd726943e804
SHA1 hash:	d3e1dccbe2cc1f7dd8f0874767020ed0f3ccc94a
MD5 hash:	7bf7d1df11e5803d9fad9b997a9f2379
humanhash:	mobile-florida-pennsylvania-stream
File name:	SecuriteInfo.com.Win32.MalwareX-gen.7223.6532
Download:	download sample
File size:	9'308'712 bytes
First seen:	2025-04-20 08:37:18 UTC
Last seen:	2025-04-20 09:24:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ea9a717aaf9e6cf1f5546b8c994ad07b
ssdeep	196608:36AxOFoN3g2zvEFqfxQqYLL/pxeVEP8xXb7NmH3zXgi8NQfRgtZSSBnqc8:36AAoN3EYiVPfQJx7NmDXg1+WZVp
TLSH	T12C9633427DC9C192C8AE0C3504B1C7B6225DBD2527608F7BEA917E76E9322D37B32749
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	00002c0c20440000
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbXVLeVpXbG5WOXdJX0hQYVRwalpLbTE4VTY3QXxBQ3Jtc0tuN08zUkZrdnFFc0pZTV9NWVdTcnczWmhLeXlFblhYbURiS3BJOTktRUp4R2hKYjMxNU1Sb1NpZHliNk0zWlZ6YmpSZHRYMFNpX19WUWhGT2Y4bjNubTVoUzZhTmxLbVBjYWc3Ujh3S0l2UkxwYnQtcw&q=https%3A%2F%2Fgithub.com%2Fcosmicdevv%2FIcarus-Lite%2Freleases&v=trqwRNPcVV4

Verdict:

Suspicious activity

Analysis date:

2025-04-14 14:32:39 UTC

Tags:

github python pyinstaller rust

Link:

https://app.any.run/tasks/30cf0366-adca-4915-8cad-d6b3cde77a71

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/3069/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.7223.6532.UNOFFICIAL

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6804b276280f5f89a0d250da

Tags:

shellcode installer extens

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin microsoft_visual_cc overlay overlay packed packer_detected zusy

Link:

https://www.filescan.io/uploads/6804b271e9c1e257979daa44/reports/094f8378-d139-43b6-97d6-57e521aea420/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f74d8bfb-8f3f-418d-9790-908551c18db4

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1669609

Signature

Found pyInstaller with non standard icon

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-03-16 09:12:30 UTC

File Type:

PE (Exe)

Extracted files:

791

AV detection:

16 of 38 (42.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3tm7udwetj4syvf6bnm4fc5ua7mhyz7vgtrheslshkgxrhlrela._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery pyinstaller

Link:

https://tria.ge/reports/250420-kjss4ay1gt/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3751636c-9c2b-47a2-827e-de09fbe0e00d

Unpacked files

SH256 hash:

3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916

MD5 hash:

7bf7d1df11e5803d9fad9b997a9f2379

SHA1 hash:

d3e1dccbe2cc1f7dd8f0874767020ed0f3ccc94a

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

SH256 hash:

44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

MD5 hash:

afa8fb684eded0d4ca6aa03aebea446f

SHA1 hash:

98bbb8543d4b3fbecebb952037adb0f9869a63a5

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

SH256 hash:

96258f49ec5da6d92448ca736f891d715b85fdb6135b788e8fe10c9e4ed0b0bc

MD5 hash:

74eb4a76534d01511fdddcafa12b7117

SHA1 hash:

dd6f3b05b0e1ab4500eb9bfbf9b5fad39a6a4b06

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

SH256 hash:

ad857e12f5a589064ba335202c12be839c0fb4b57ecb8eebebd287668a1c1003

MD5 hash:

bce3e91087311d29f741861affddb61c

SHA1 hash:

fe63a020048d5933429630f98b9e4252f6452e1c

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

SH256 hash:

b300647dd4cb99ec8782524365210a811491d1124dd2ea9871a26a8ac43f83f1

MD5 hash:

402e0882543d1dbff0e45a0e86898a9c

SHA1 hash:

052ba1317a5cf918f7d8c7b571739925fd815116

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

SH256 hash:

e498a3f2df1115dc530d39ee7492a7f0fd75b03ee8f0edded6312fc2799df217

MD5 hash:

f481fc00de7a451fe479c9e53ad955cc

SHA1 hash:

8d9f2aa72743d31c2defb366dded6ea059ee428d

Link:

https://www.unpac.me/results/56e468ea-e118-4dc6-b123-8d7180664a8b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3ee6cfd07624d3c962a5f05ace145da03ec3e33fa9a713924b91d46bc4eb8916

(this sample)

Cape

https://www.capesandbox.com/analysis/3069/

URLhaus

https://urlhaus.abuse.ch/url/3519027/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleWindow KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::FindFirstFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample