MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
SHA3-384 hash: 15907b94df90158fcdd2f6c08c1770cf2234b6aa17deef96575b3a69a1ec7783274524e7b34e7b949373b7513b83f54b
SHA1 hash: e8bff616100ccd9452362f90d0d3f94b860d2bf4
MD5 hash: 8f8fc7f7442eb1d14acf3593e773463b
humanhash: tennessee-ink-florida-bulldog
File name:5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
Download: download sample
File size:16'402'198 bytes
First seen:2026-02-04 15:41:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 393216:Xip6jW83Kq63hucw1+TtIiF4uARuAMdS9QVlNIIKQEM:1W8ab3hrw1QtI1uA8sMl6IKQEM
TLSH T173F6339973A508ECD8AEA17F91E4C25B63A170E703A0928F57F20D520F271E5EE35F52
TrID 64.5% (.EXE) InstallShield setup (43053/19/16)
15.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.0% (.ICL) Windows Icons Library (generic) (2059/9)
3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Neiki
Tags:exe Python stealer Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/e4bb09f9-1368-4e1a-9e99-43d43abc9fee/
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 15:30:58 UTC
Tags:
pyinstaller telegram python auto-reg ims-api generic rust evasion
Link:
https://app.any.run/tasks/445fc7fd-14f2-49ca-99b5-fd6a0246fc70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Locked
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51715/
Detection(s):
SecuriteInfo.com.FileRepMalware.22561.28030.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698366336b1af47db72cd782
Tags:
ransomware installer extens
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expand expired-cert fingerprint installer-heuristic keylogger lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/698368da930564ff3c89e6e2/reports/03adfe5b-736b-49f1-a011-fa01409a3fb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-04T12:38:00Z UTC
Last seen:
2026-02-04T12:51:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Ransom.Python.Agent.b HEUR:Trojan.Python.Pytr.co HEUR:Trojan-Ransom.Python.Agent.gen
Link:
https://opentip.kaspersky.com/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ff272004-38a6-4949-a7cc-6dcc53f86a7a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8f8fc7f7442eb1d14acf3593e773463b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 15:31:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1912
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljqwxy5csicv2g73cnn7nllp7g7ezvhiagpydg7k2ietpyw5s22a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence pyinstaller ransomware
Link:
https://tria.ge/reports/260204-s5gxqadt7d/
Behaviour
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Renames multiple (210) files with added filename extension
Unpacked files
SH256 hash:
5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
MD5 hash:
8f8fc7f7442eb1d14acf3593e773463b
SHA1 hash:
e8bff616100ccd9452362f90d0d3f94b860d2bf4
Link:
https://www.unpac.me/results/250f0aef-61a9-472e-b387-fa8e9db65fdb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.threat.rip/file/5a616be3a292055d1bfb135bf6ad6ff9be4cd4e8019f819bead20937e2dd96b4
Cape
Cape
https://www.capesandbox.com/analysis/51715/

Comments


Avatar
commented on 2026-02-04 22:25:27 UTC

If someone is affected:

import hashlib, base64, socket, ctypes, uuid
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

def get_key():
hostname = socket.gethostname()
serial = ctypes.c_ulong()
ctypes.windll.kernel32.GetVolumeInformationW(
"C:\\", None, 0, ctypes.byref(serial), None, None, None, 0)
mac = ':'.join(f'{(uuid.getnode()>>i)&0xff:02x}' for i in range(0,48,8))[::-1]
machine_id = hashlib.sha256(f"{hostname}{serial.value}{mac}".encode()).hexdigest()
return hashlib.sha256(machine_id.encode()).digest()

with open(r"C:\Windows\Temp\ds_pwd.enc") as f:
_, iv, ct = f.read().strip().split('|')
cipher = Cipher(algorithms.AES(get_key()), modes.CFB(base64.b64decode(iv)))
print("PASSWORD:", cipher.decryptor().update(base64.b64decode(ct)).decode())

Will print you the Password - also this Malware will not run in Safe Mode. I Reverse-Engineered it.