MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8
SHA3-384 hash: 5d7ab0f4a2e2b2584909355264e470c62791538975eb10b5ffb3dcab813b6a57573a4adb009885e1f5b1213a54a79db1
SHA1 hash: e5130fc13613fce0f9cf16e92f696068e8993802
MD5 hash: 4ac225bf392d0f8343478f6dc568143b
humanhash: snake-robert-florida-georgia
File name:PoligonVRSetup.exe
Download: download sample
File size:22'241'368 bytes
First seen:2026-01-03 14:22:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (40 x BlankGrabber, 17 x PythonStealer, 17 x Efimer)
ssdeep 393216:kqyCr2bcsbAemqSEVJEoa163OPsZg2Ke4fDVymK435HsF5ladgZb7EPONNrtnC6y:kq5rpl8c163rLX4y6EUdwbCE9Ry
TLSH T1952733E89FD00CB9E863753B54359876B3E174580BA09D2F5F00622A3F774EA6C36693
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/bbdf2180-60cb-4a98-9cb3-3e344e9e33cc/
Malware family:
n/a
ID:
1
File name:
PoligonVRSetup.exe
Verdict:
Malicious activity
Analysis date:
2026-01-03 14:22:43 UTC
Tags:
anti-evasion python evasion stealer arch-doc pyinstaller generic
Link:
https://app.any.run/tasks/3dca072b-98e8-4254-9221-a9e0ca97f603

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47369/
Detection(s):
SecuriteInfo.com.Variant.Application.Tedy.3948.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69592632e148d42004dee0ac
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Connection attempt
Running batch commands
Creating a process with a hidden window
Launching a process
Loading a suspicious library
Forced system process termination
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed pyinstaller unsafe
Link:
https://www.filescan.io/uploads/695926538d1aa9829e29ac53/reports/29b9445f-6ed1-48ae-b4f1-3dd359e96ace/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-03T11:31:00Z UTC
Last seen:
2026-01-04T01:46:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.Python.Muck.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Mercurial.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Backdoor.Win32.Zegost.sb Trojan-PSW.MSIL.Mercurial.axa
Link:
https://opentip.kaspersky.com/55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1844199
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses WMIC command to query system information (often done to detect virtual machines)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1844199 Sample: PoligonVRSetup.exe Startdate: 03/01/2026 Architecture: WINDOWS Score: 100 74 raw.githubusercontent.com 2->74 76 ip-api.com 2->76 78 6 other IPs or domains 2->78 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Unusual module load detection (module proxying) 2->98 100 Joe Sandbox ML detected suspicious sample 2->100 11 PoligonVRSetup.exe 176 2->11         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 11->66 dropped 68 C:\Users\user\AppData\...\win32security.pyd, PE32+ 11->68 dropped 70 C:\Users\user\AppData\...\win32process.pyd, PE32+ 11->70 dropped 72 126 other files (none is malicious) 11->72 dropped 108 Suspicious powershell command line found 11->108 110 Uses WMIC command to query system information (often done to detect virtual machines) 11->110 112 Found pyInstaller with non standard icon 11->112 15 PoligonVRSetup.exe 3 38 11->15         started        signatures6 process7 dnsIp8 80 httpbin.org 98.85.201.92, 443, 49729 TWC-11351-NORTHEASTUS United States 15->80 82 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 15->82 84 5 other IPs or domains 15->84 58 C:\Users\user\...\chromelevator_x64.exe, PE32+ 15->58 dropped 60 C:\Users\user\...\cookies_temp.sqlite-shm, data 15->60 dropped 62 C:\Users\user\AppData\...\cookies_temp.sqlite, SQLite 15->62 dropped 64 3 other files (2 malicious) 15->64 dropped 86 Suspicious powershell command line found 15->86 88 Overwrites Mozilla Firefox settings 15->88 90 Tries to harvest and steal browser information (history, passwords, etc) 15->90 92 2 other signatures 15->92 20 cmd.exe 15->20         started        22 cmd.exe 1 15->22         started        25 cmd.exe 15->25         started        27 11 other processes 15->27 file9 signatures10 process11 signatures12 29 chromelevator_x64.exe 20->29         started        32 conhost.exe 20->32         started        102 Suspicious powershell command line found 22->102 104 Bypasses PowerShell execution policy 22->104 106 Uses WMIC command to query system information (often done to detect virtual machines) 22->106 34 powershell.exe 19 22->34         started        36 conhost.exe 22->36         started        38 powershell.exe 25->38         started        40 conhost.exe 25->40         started        42 getmac.exe 27->42         started        44 WMIC.exe 1 27->44         started        46 22 other processes 27->46 process13 signatures14 114 Multi AV Scanner detection for dropped file 29->114 116 Writes to foreign memory regions 29->116 118 Allocates memory in foreign processes 29->118 130 2 other signatures 29->130 48 chrome.exe 29->48         started        50 msedge.exe 29->50         started        120 Suspicious powershell command line found 34->120 122 Loading BitLocker PowerShell Module 34->122 52 powershell.exe 38->52         started        124 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->124 126 Writes or reads registry keys via WMI 42->126 54 WmiPrvSE.exe 42->54         started        128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->128 process15 process16 56 WerFault.exe 48->56         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4ac225bf392d0f8343478f6dc568143b
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/55790767e48d39d71bf0814ba9ab4bd294de825ccab8b01cfa854399e2e935c8
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-03 14:22:45 UTC
File Type:
PE+ (Exe)
Extracted files:
2323
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kv4qoz7eru45og7qqff2tk2l2kkn5as4zk4lahh2qvbztyxjgxea._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery execution pyinstaller spyware stealer
Link:
https://tria.ge/reports/260106-khly6ae18c/
Behaviour
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/863cd2cf-1c05-4e27-a832-44c5df7a8b60
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/47369/

Comments