MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 741d9ea1d7ce0d22e0dc37ebbefb1f80a0055edcfaa5626084d9e7ad2b46b260. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash: 741d9ea1d7ce0d22e0dc37ebbefb1f80a0055edcfaa5626084d9e7ad2b46b260
SHA3-384 hash: e6e87441b801f084a92f66a13967a59c2542c53b3872ea6b93b5cdf09564b97bd0dc7b73c7e44b393c2c07bb223f6dfe
SHA1 hash: 23db16b654a1b99aedabee88486262ff09bcab81
MD5 hash: a82a3afcc7486e348bf955903477745b
humanhash: hydrogen-edward-lion-oscar
File name:py.exe
Download: download sample
File size:393'728 bytes
First seen:2026-04-20 12:25:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 562a0fa1097a7e442aee1ca676f7cd61 (1 x Smoke Loader)
ssdeep 6144:gnTbbyYCXjj++7rO+36/xZD9weJYZUfKY1zMRE7tY0tb5vn6cthVnVa6NxehcUGx:gOj6+7rX36ZZTy3YqRS33hVndIWUGx
Threatray 45 similar samples on MalwareBazaar
TLSH T128844987980C20A1F96B957C06725B1F98A6D4F9213F29044E6D29EDEBD13C8A33F7D1
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
99
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee.zip
Verdict:
Malicious activity
Analysis date:
2026-04-19 23:51:22 UTC
Tags:
arch-exec stealer stealc loader api-base64 wmi-base64 delphi inno installer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-19T00:00:00Z UTC
Last seen:
2026-04-22T08:06:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Kryplod.sb Trojan.Win32.Agent.sb VHO:Backdoor.Win32.Agent.gen Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.sb HEUR:Trojan.Win64.Agent.gen.ia HEUR:Trojan-Banker.Win32.ClipBanker.gen VHO:Trojan.Win64.Agent.gen VHO:Backdoor.Win32.Androm.gen Backdoor.Win32.Androm.sb
Result
Threat name:
Clipboard Hijacker
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Gathering data
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Threat name:
Win64.Trojan.Lazy
Status:
Malicious
First seen:
2026-04-19 03:32:58 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
741d9ea1d7ce0d22e0dc37ebbefb1f80a0055edcfaa5626084d9e7ad2b46b260
MD5 hash:
a82a3afcc7486e348bf955903477745b
SHA1 hash:
23db16b654a1b99aedabee88486262ff09bcab81
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:suspicious_PEs
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments