MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



LightSpy


Vendor detections: 12


Intelligence 12 IOCs YARA 15 File information Comments

SHA256 hash: 735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0
SHA3-384 hash: 688f2d26f3603eb80fceeeea3b3be991a74dd95d36df78c421bdb6d7e2b591c3faeb2f9d8d44698de3a777639c524f99
SHA1 hash: a86a42b83570dc9dbe993b4b5073cd8cd44ed768
MD5 hash: 847ec30a4ff2391f1eb7669c22940e51
humanhash: butter-solar-apart-nevada
File name:v84czzz26.exe
Download: download sample
Signature LightSpy
File size:8'998'400 bytes
First seen:2026-07-12 20:25:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca0be1f0383ce1e68fdbecd6db87c064 (1 x LightSpy)
ssdeep 98304:Oq9D7NJ1yT+K8KCGvffm+ZAKsSeq62QdFllwnRa5q5x:/9DP1yCKfCGvnmvZJvl
TLSH T15A969E5AB2A900E8E57BD078C6679707F771345603309AEB06E087692F37BE05A7F712
TrID 40.3% (.EXE) InstallShield setup (43053/19/16)
38.9% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (6522/11/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter smica83
Tags:exe LightSpy

Intelligence


File Origin
# of uploads :
1
# of downloads :
144
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Tags:
emotet virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto dropper evasive expired-cert explorer lolbin microsoft_visual_cc overlay reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2023-12-10T23:01:00Z UTC
Last seen:
2026-07-12T19:50:00Z UTC
Hits:
~100
Malware family:
Microsoft Corporation
Verdict:
Unknown
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2024-06-18 14:19:26 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Verdict:
suspicious
Label(s):
lightspy
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
735d59c0949e258501e177ec2dd5fbb60df9fa401ace08949b89077c6f0d41d0
MD5 hash:
847ec30a4ff2391f1eb7669c22940e51
SHA1 hash:
a86a42b83570dc9dbe993b4b5073cd8cd44ed768
Detections:
win_deepdata_auto
SH256 hash:
d3d40b7a7dfb724d5da01634e5c4ade2df988c3ee4464fe4d70545483fc19c6d
MD5 hash:
46276ffde166ebe7c5a15522b98921a6
SHA1 hash:
50f9d54d209c2ca6bbe85f9aa8f01689e9cfb120
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_all_IPv6_variants
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Mimikatz_Generic
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:win_deepdata_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.deepdata.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments