MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8edf63e404795c64cc17d553a80a5c3df86f30592838812312e665bf7c8d735d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Expiro


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash: 8edf63e404795c64cc17d553a80a5c3df86f30592838812312e665bf7c8d735d
SHA3-384 hash: d961169ff45cbf48708efaf711e9947d87bdb416d8ec55bf59d5b389893585f90eec11bdf21bcabe4da8b97d985a3dcc
SHA1 hash: d58458448941b21a4e98ba8fa8d4a7ce61ecfeb9
MD5 hash: b15bc2e6b93fb013e344f426a60d85c1
humanhash: moon-north-four-washington
File name:8edf63e404795c64cc17d553a80a5c3df86f30592838812312e665bf7c8d735d
Download: download sample
Signature Expiro
File size:1'857'024 bytes
First seen:2026-06-08 09:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'115 x AgentTesla, 20'116 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 49152:BTG7y2+GjavK7mpEaE4nqmGuFNZ0pBFvJJk6zUzgoCUyGc+VUBM:BTUy2aK7Ra59bvKTFvJJr+wUyGdU
TLSH T12F85230052ABD917D5964BB6ACF2C03457784D4EF422C61BAFC82EEF7276B6509C4363
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 68e48c98b6b6b4c8 (5 x AgentTesla, 2 x a310Logger, 2 x Expiro)
Reporter adrian__luca
Tags:exe Expiro

Intelligence


File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Verdict:
Malicious
Score:
99.1%
Tags:
infosteal shell virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Modifying a system executable file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Loading a system driver
Connection attempt to an infection source
Modifying an executable file
Modifying a system file
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Stealing user critical data
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated packed packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-07T14:49:00Z UTC
Last seen:
2026-06-09T20:24:00Z UTC
Hits:
~1000
Malware family:
Generic Malware
Verdict:
Malicious
Gathering data
Threat name:
ByteCode-MSIL.Trojan.RedlineStealer
Status:
Malicious
First seen:
2026-05-07 21:59:09 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence ransomware spyware stealer
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
8edf63e404795c64cc17d553a80a5c3df86f30592838812312e665bf7c8d735d
MD5 hash:
b15bc2e6b93fb013e344f426a60d85c1
SHA1 hash:
d58458448941b21a4e98ba8fa8d4a7ce61ecfeb9
SH256 hash:
c341d9821f828d2b3182f783d97641aa78a2a6d95b769b7d2c7e68e76dd6389e
MD5 hash:
07ab002d5bd6b1ccb572490fe2d26f13
SHA1 hash:
56fc986e61f450f8e912eeea6c5150d1ec534f92
Detections:
triage_darkcloud_infostealer triage_expiro_worm
SH256 hash:
10d329d21caaa130466427ff625d0bfae6b1f1d26adfefd9f81f8a63f85b88d0
MD5 hash:
8593639303535cbb65d16fdb01b61e5b
SHA1 hash:
5c91fc8aaa38114227fd329bc9159e5eca903f23
SH256 hash:
0c70704dbd9c12c51a296a67932b77e909b1e5f5e2b956aa5f90509f3992c66a
MD5 hash:
f9a6d72230838707d938e3a9752c5db8
SHA1 hash:
b192a4993ba887245b47018dad8371463c6609fa
SH256 hash:
caebf12cf2229d84b4fabdf412326d127d2d9fef20e6ec54198ace170e5110e7
MD5 hash:
0d7d14bd5d98367a66ae34fdaefefab7
SHA1 hash:
c6e7e12d4f2ff0a7faaa92d677b88633bcd8ebcb
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:pe_imphash
Rule name:reverse_http
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments