MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1
SHA3-384 hash: 8ba23d576c71bdb1456b6b003ef5b4e1cc7faa4ab930ce2f720e44f717e9fdd870c7d25d953295ed5b8b2eb82ee91311
SHA1 hash: 0c4036e663914ce7831040e9e228d8b3224ee96c
MD5 hash: b90c60f0d57f1aa19cb5c08fe791bcec
humanhash: lithium-grey-shade-helium
File name:SOLICITUD DE COTIZACION.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:1'843'200 bytes
First seen:2026-01-28 14:29:05 UTC
Last seen:2026-02-05 15:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f614ac8f5b17f11f2407d3f616409e3 (1 x Expiro)
ssdeep 24576:X8SsAyXy9GDnitVg9N9JMlDlfjRiVuVsWt5MJMs:tsbXeGDniHgFIDRRAubt5M
TLSH T13085D022E650B425F81385B07E74A25668293E391640ED0BB78DDF5A3BB1AC374F931F
TrID 55.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
21.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.1% (.EXE) Win64 Executable (generic) (10522/11/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter James_inthe_box
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
GuLoader
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0cbcd60f-7e70-475e-bd7e-542002213a96/
Malware family:
n/a
ID:
1
File name:
SOLICITUD DE COTIZACION.exe
Verdict:
Malicious activity
Analysis date:
2026-01-28 14:30:58 UTC
Tags:
m0yv sinkhole
Link:
https://app.any.run/tasks/e6d565b1-9f41-4a39-8d5e-3b5559a6d2bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50517/
Detection(s):
SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL
Create hunting rule

Win.Malware.Expiro-9951780-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697a1d466fa3eed1652fec37
Tags:
shellcode dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying a system executable file
Creating a window
Launching a service
Launching a process
Searching for synchronization primitives
Loading a system driver
Connection attempt to an infection source
DNS request
Creating a file in the system32 subdirectories
Modifying an executable file
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
Enabling autorun for a service
Query of malicious DNS domain
Infecting executable files
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expiro overlay virus visual_basic
Link:
https://www.filescan.io/uploads/697a1d434156786ccbdcf99b/reports/0191eba3-2cc9-4161-8da9-3842da1d4e02/overview
Verdict:
Malicious
Labled as:
Expiro.Generic
Link:
https://www.hybrid-analysis.com/sample/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-27T11:45:00Z UTC
Last seen:
2026-01-30T12:41:00Z UTC
Hits:
~10000
Detections:
HEUR:Trojan.Win32.Generic HEUR:Virus.Win32.Generic HEUR:Trojan.Win64.Kryplod.pef Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Kryplod.sb Trojan.Win64.Agent.sb HEUR:Trojan.Win32.Kryplod.gen Virus.Win64.Moiva.a Virus.Win32.Moiva.a HEUR:Trojan.Win64.Zenpak.pef HEUR:Trojan.Win32.Waldek.gen not-a-virus:HEUR:AdWare.Script.Generic
Link:
https://opentip.kaspersky.com/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1/results?tab=lookup
Malware family:
Expiro
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a615c3d0-e1be-4ecb-a7ac-a8fe764d6294
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1/
Verdict:
Malicious
Threat:
Family.M0YV
Link:
https://tip.neiki.dev/file/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1
Threat name:
Win32.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2026-01-27 20:05:52 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
34 of 37 (91.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n22l3whmfiaqgoadye4tkhipwohzdg327wtzv66dumqwbh2tacyq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery ransomware spyware stealer
Link:
https://tria.ge/reports/260128-rtrgcad19e/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1
MD5 hash:
b90c60f0d57f1aa19cb5c08fe791bcec
SHA1 hash:
0c4036e663914ce7831040e9e228d8b3224ee96c
Link:
https://www.unpac.me/results/9d51f45d-01d2-4146-a83f-e1957e77f163/
SH256 hash:
e728b893d5d782a215849e63fec8d5754cc4bffff527f87f4ba46f5e4e7e471b
MD5 hash:
2ca0a72401db99067e4e7bf64b200403
SHA1 hash:
be70b62af8b97f6ad4526cd7625aaba89b88e370
Link:
https://www.unpac.me/results/9d51f45d-01d2-4146-a83f-e1957e77f163/
SH256 hash:
4bf1109d02442e73198138d0f9d0fccd52caaccf5ee5bbc89c4c583b505e8dbf
MD5 hash:
3f459b435d74cbc77fcae6c1971e2f2e
SHA1 hash:
73b48dc81d87c7d29b9fc15a8c47e755e7dafdc4
Link:
https://www.unpac.me/results/9d51f45d-01d2-4146-a83f-e1957e77f163/
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Link:
https://www.unpac.me/results/9d51f45d-01d2-4146-a83f-e1957e77f163/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eb4bdd8ec2a01033803c139351d0fb38f919b7afda79afbc3a321609f5300b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/50517/

Comments