MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb
SHA3-384 hash:	cbcbc1237fb0116e8bdee568a0f0bfad89119491493b8b6670e3ef4ee962b199c7e2413b5e038aeb331b68b1e06fff02
SHA1 hash:	53349919a3ae295cbe2fba0a47e5ab0474663847
MD5 hash:	798d3bb4b3caf105b7a2df8865271a88
humanhash:	oxygen-montana-single-double
File name:	setup.exe
Download:	download sample
File size:	91'018'232 bytes
First seen:	2026-04-01 08:44:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46ce5c12b293febbeb513b196aa7f843 (24 x GuLoader, 12 x RemcosRAT, 5 x VIPKeylogger)
ssdeep	1572864:SR41uucWbDGxwdspDI0GnL3jmVOwKo8vj3MKcrbgjgKZwWlDp07UygHrlY/z7qf2:SS/bCx6shRGnL3juvIDMDgTlp0Ae/L
TLSH	T11A18332135D7456AE19AD27611CF2823C1DF5E1077D73388E809A2ED7D3BA90EEC8627
TrID	27.0% (.EXE) Win64 Executable (generic) (6522/11/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	60e098f4e6f2f8d8 (2 x MuddyWater, 1 x RedLineStealer)
Reporter	smica83
Tags:	exe floridacambolashop-com signed

Code Signing Certificate

Organisation:	Xiamen Yufeng Tiantai Network Co., Ltd.
Issuer:	Sectigo Public Code Signing CA EV R36
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-03-19T00:00:00Z
Valid to:	2027-03-19T23:59:59Z
Serial number:	a8f8379ee21b6b3859da939532512002
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	3e9c946da3f2078252121ca649def38b1aa008f04cee3d045335bfd5a34e975e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

setup.exe

Verdict:

No threats detected

Analysis date:

2026-04-01 08:47:28 UTC

Tags:

python

Link:

https://app.any.run/tasks/8768d237-513c-49f1-84db-f5e044b55f16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ccdb453a18a6e1ddf03ee7

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Creating a process from a recently created file

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole expired-cert installer installer installer-heuristic microsoft_visual_cc nsis python short-lived-cert signed soft-404

Link:

https://www.filescan.io/uploads/69ccdb3986ddcb4655e352f5/reports/b8fe7260-a4dc-43d7-9476-f2c332011bba/overview

Verdict:

Suspicious

Labled as:

Python_TrojanDownloader_Agent_BAC_trojan

Link:

https://www.hybrid-analysis.com/sample/5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-03-31T00:45:00Z UTC

Last seen:

2026-04-02T00:28:00Z UTC

Hits:

~10

Detections:

Backdoor.Python.Agent.hb NetTool.PythonUserAgent.HTTP.Download

Link:

https://opentip.kaspersky.com/5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1891926

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

87%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb

Gathering data

Verdict:

Malicious

Threat:

Backdoor.PythonUserAgent.Agent

Link:

https://tip.neiki.dev/file/5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-30 23:34:07 UTC

File Type:

PE (Exe)

Extracted files:

1381

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzyha7zxataxcrjvg5bp5uocpkxd6tksz2xjtmjo3dcviah4kx5q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/260401-kn4fdsdt2s/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample