MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26
SHA3-384 hash:	bb874ae330f944e7066cfa56ae71a35986d6617972979681a88efdd9540110f40cc8d5afe88aea0bd2a6e07b781f08ec
SHA1 hash:	f6b9af93099af53ee19db15d85bb66abb48d9b08
MD5 hash:	6a0f9e112166fd6fc02b3774930d14a4
humanhash:	uranus-jig-pip-oxygen
File name:	SecuriteInfo.com.Heur.Clyp.1.12026.22242
Download:	download sample
File size:	13'786'734 bytes
First seen:	2025-03-19 08:35:59 UTC
Last seen:	2025-03-19 10:19:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	965e162fe6366ee377aa9bc80bdd5c65 (45 x BlankGrabber, 12 x CoinMiner, 9 x Efimer)
ssdeep	393216:MgLq2JtWNhqKVNXMCHWUjeOrPwgpmMFX++ycH1:1q2JtEhqKVNXMb8eaEM1
TLSH	T1BCD6332833F199E5F8B3483A85E54658E663786007BACBC757EC56722E331C02F79B61
TrID	66.6% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

501

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Heur.Clyp.1.12026.22242

Verdict:

Malicious activity

Analysis date:

2025-03-19 08:41:03 UTC

Tags:

python pyinstaller

Link:

https://app.any.run/tasks/05b610cf-9c65-4883-98e8-7406e1ed5891

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67da8c7008116ce4257271bb

Tags:

installer extens virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Delayed reading of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin microsoft_visual_cc overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67da81fe01edd28374b43f62/reports/e44fa5aa-388a-4f3d-bfd7-f10d87b18cd2/overview

Verdict:

Malicious

Labled as:

Clyp.Generic

Link:

https://www.hybrid-analysis.com/sample/70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e81412ea-022d-4be3-a483-f7d86ab64198

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1642645

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26/

Threat name:

Win64.Trojan.Clyp

Status:

Malicious

First seen:

2025-03-19 08:36:13 UTC

File Type:

PE+ (Exe)

Extracted files:

809

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oami3iqolvflmh4dwwc57aonkwa2td6cl4df3tuzyg5b346ojyta._file

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/250319-khm68ayjz5/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/22a25600-621f-435f-a9ec-260857923949

Unpacked files

SH256 hash:

70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26

MD5 hash:

6a0f9e112166fd6fc02b3774930d14a4

SHA1 hash:

f6b9af93099af53ee19db15d85bb66abb48d9b08

Link:

https://www.unpac.me/results/397cbaec-4fb9-437b-a0ed-242fbf075404/

SH256 hash:

36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

MD5 hash:

862f820c3251e4ca6fc0ac00e4092239

SHA1 hash:

ef96d84b253041b090c243594f90938e9a487a9a

Link:

https://www.unpac.me/results/397cbaec-4fb9-437b-a0ed-242fbf075404/

SH256 hash:

4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

MD5 hash:

123ad0908c76ccba4789c084f7a6b8d0

SHA1 hash:

86de58289c8200ed8c1fc51d5f00e38e32c1aad5

Link:

https://www.unpac.me/results/397cbaec-4fb9-437b-a0ed-242fbf075404/

SH256 hash:

611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af

MD5 hash:

71d96f1dbfcd6f767d81f8254e572751

SHA1 hash:

e70b74430500ed5117547e0cd339d6e6f4613503

Link:

https://www.unpac.me/results/397cbaec-4fb9-437b-a0ed-242fbf075404/

SH256 hash:

c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9

MD5 hash:

d8f690eae02332a6898e9c8b983c56dd

SHA1 hash:

112c1fe25e0d948f767e02f291801c0e4ae592f0

Link:

https://www.unpac.me/results/397cbaec-4fb9-437b-a0ed-242fbf075404/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70188da20e5d4ab61f83b585df81cd5581a98fc25f065dce99c1ba1df3ce4e26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::FindFirstFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample