MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FRP

Vendor detections: 13

Intelligence 13 IOCs YARA 33 File information Comments

SHA256 hash:	73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1
SHA3-384 hash:	9b19045949b66595121d141a551d8ecd6d6dcfb924ec3b60940a5153177813a94bbc471429d8d83285c0571896321b35
SHA1 hash:	13d8b44123e6f9f9a58a9359d0a772566f4eff3b
MD5 hash:	93996829b15b3cf1bb4bd79f2091d72f
humanhash:	lemon-juliet-equal-hotel
File name:	_frpc_upx_small.exe
Download:	download sample
Signature	FRP Create hunting rule
File size:	15'403'520 bytes
First seen:	2026-06-11 19:40:46 UTC
Last seen:	2026-06-11 19:45:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b196866f0bf37f1f128fa153413b744f (11 x FRP, 1 x Sliver)
ssdeep	98304:MtCB9kT0DOgSppogSn41ZbhqkE8E/k2qvPJzfN3KAlA2rWr:SUvSpppdqd8EK3/lAS
Threatray	7 similar samples on MalwareBazaar
TLSH	T13EF66B57E8A201F4C1ADD234C5A68263BF317C495B3127D72B50F6283F76BD0AABA750
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe frp upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 3d008cb4d346a95396868f786ec6d4fe7e12a0451768f957664abba7469f2cf0

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	4'410'880 bytes
File size (de-compressed) :	15'403'520 bytes
Format:	win64/pe
Packed file:	3d008cb4d346a95396868f786ec6d4fe7e12a0451768f957664abba7469f2cf0

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1.exe

Verdict:

No threats detected

Analysis date:

2026-06-11 19:42:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ff39a9dd-3816-447e-9fe1-cd7f718c9d0e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Proxy.FRP-10059220-0

YARA.DITEKSHEN_INDICATOR_TOOL_Fastreverseproxy.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2b0f7334eaf30d8ce4f7a5

Tags:

vmdetect

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm crypto golang reverseproxy

Link:

https://www.filescan.io/uploads/6a2b0f6a554e843ff868af64/reports/0854aa66-3b29-4f86-82c3-1578b4ec1f90/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

Verdict:

Adware

File Type:

exe x64

Detections:

not-a-virus:NetTool.Win64.FRP.sb not-a-virus:HEUR:NetTool.Win64.FRP.gen

Link:

https://opentip.kaspersky.com/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1/results?tab=lookup

Malware family:

Fast Reverse Proxy

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a7aae34a-fcaa-4c5d-be6f-1207e85de79d

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1926857

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1/

Verdict:

Malicious

Threat:

NetTool.Win64.FRP

Link:

https://tip.neiki.dev/file/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oozmahfh6cbl6tmzsqtoa6egcrfxxtfoz2wzbynm6zqwsx62hgyq._file

Verdict:

malicious

Label(s):

wormfrp

FRP

73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

FRP

c9a44c6428fee879e59aa212a95c316e508b06775e2fccc690ae2acbc94493c7

FRP

error

FRP

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260611-yea95sdz3m/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

MD5 hash:

93996829b15b3cf1bb4bd79f2091d72f

SHA1 hash:

13d8b44123e6f9f9a58a9359d0a772566f4eff3b

Detections:

triage_frp

Link:

https://www.unpac.me/results/7c0676a7-0f7d-41ed-ac43-cbb3d0039055/

Parent samples :

3d008cb4d346a95396868f786ec6d4fe7e12a0451768f957664abba7469f2cf0
73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73b2c01ca7f082bf4d999426e07886144b7bccaecead90e1acf661695fda39b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Go_Malware_Yamux_Variant Create hunting rule
Author:	Gemini
Description:	Detects a specific Go-based malware variant using the yamux library, with shared strings and constants across x86 and ARM architectures.

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_TOOL_FastReverseProxy Create hunting rule
Author:	ditekSHen
Description:	Detects Fast Reverse Proxy (FRP) tool

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RemusStealer_GoPayload Create hunting rule
Author:	burger
Description:	Detects RemusStealer Go-compiled payload

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	tool_frp_str Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	Detect fast reverse proxy (frp)
Reference:	https://github.com/fatedier/frp