MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74eadd945d1174252e2c11d43178da80ff498017c9f059aa1fca3a8fc00706b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash: 74eadd945d1174252e2c11d43178da80ff498017c9f059aa1fca3a8fc00706b5
SHA3-384 hash: df8a0b57f1b7071e74769aa80d4c9916d5bfc3b3e47539c2d064b2a628128a31fd853cf1fe538b96a4e6c6be3f6bddbd
SHA1 hash: 3eecb509cff45261c8c2332974c046066aef6469
MD5 hash: b4dbef64eaeec33900b48b08ef64c73b
humanhash: skylark-steak-venus-berlin
File name:Yoda-executor-v1.2.exe
Download: download sample
File size:63'177'273 bytes
First seen:2026-07-04 17:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cf72283be50852e418ce6bbb6b645835 (7 x BlankGrabber, 1 x CrealStealer, 1 x HawkEye)
ssdeep 1572864:GqBsXJVrvo2pUg9NoX0REHrw1x2d4Z2Ue+odGbpNnaP:pqv7ig9NXELu22kipk
TLSH T16ED733A06E554185CD93513F14B8473372E8F8F58A6983EB13E8914B2F632DF6C3D2A6
TrID 70.9% (.EXE) InstallShield setup (43053/19/16)
10.7% (.EXE) Win64 Executable (generic) (6522/11/2)
8.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.3% (.EXE) OS/2 Executable (generic) (2029/13)
3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (49 x PythonStealer, 28 x SVCStealer, 26 x CoinMiner)
Reporter Alex_sev
Tags:DiscordBot exe keylogger Psw pyinstaller Python ShellLoader

Intelligence


File Origin
# of uploads :
1
# of downloads :
138
Origin country :
AU AU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Yoda-executor-v1.2.exe
Verdict:
Malicious activity
Analysis date:
2026-07-04 17:22:44 UTC
Tags:
pyinstaller auto-reg discord python

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for analyzed file
Connection attempt
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expand installer-heuristic keylogger lolbin microsoft_visual_cc overlay packed packed packed pyinstaller pyinstaller reconnaissance
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-30T14:01:00Z UTC
Last seen:
2026-07-05T19:35:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Python.Tpyc.i HEUR:Trojan.Python.Rodico.gen HEUR:Trojan.Python.Pytr.p Trojan.Win64.Agent.sb Trojan.Win32.Agent.sba PDM:Trojan.Win32.Generic HEUR:Trojan.Python.Pytr.dm HEUR:Trojan.Python.Pytr.bi HEUR:Trojan.Python.Pyob.d HEUR:Trojan.Python.Pytr.db HEUR:Trojan.Python.Agent.gen Worm.Win32.Cridex.sb HEUR:Trojan-Spy.Python.Keylogger.gen HEUR:Trojan-Spy.Python.Agent.gen HEUR:Trojan-PSW.Python.Generic HEUR:Trojan-PSW.Python.Agent.gen Trojan-PSW.Win32.Disco.sb
Gathering data
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-29 23:47:45 UTC
File Type:
PE+ (Exe)
Extracted files:
2745
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion persistence pyinstaller spyware stealer
Behaviour
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:dsc
Author:Aaron DeVera
Description:Discord domains
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments