MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PupkinStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
SHA3-384 hash: a45d512570c308081b70d99ecfc94033c1b99e5092717a00bb82f99cc84aad4cbd10ecf8e0eec25fc0f29e44a05ff8a5
SHA1 hash: 84dd5bc96170c98ad1d1ec90e8f09ec99e6dc9db
MD5 hash: fc99a7ef8d7a2028ce73bf42d3a95bce
humanhash: whiskey-quebec-whiskey-victor
File name:PupkinStealer.exe
Download: download sample
Signature PupkinStealer
Create hunting rule
File size:6'510'592 bytes
First seen:2025-04-30 09:36:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:TFQqLFt02M1NVN8iNISVgaTtkSIGcD3KWAL:zZtVM7XxgMtkSPczKt
Threatray 240 similar samples on MalwareBazaar
TLSH T1526633DAB9532C06F537437614A37150DA997432EA34AFD8399C7388863F88B5E61E3C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter smica83
Tags:exe PupkinStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
541
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f.zip
Verdict:
Malicious activity
Analysis date:
2025-04-30 09:47:44 UTC
Tags:
stealer telegram
Link:
https://app.any.run/tasks/7013df75-f5e6-4110-9b52-5f5d53b0d4b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5217/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811f1c0cc5fb3600cc521e1
Tags:
packed virus msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected reconnaissance stealer telegram
Link:
https://www.filescan.io/uploads/6811ef42a8d43a4dd612ed15/reports/e44fe229-2616-4d1c-bbb9-5b6046327c05/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12e926c5-f622-48b7-998f-14347a6b6629
Result
Threat name:
Pupkin Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1678050
Signature
.NET source code contains potential unpacker
Contains functionality to capture screen (.Net source)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Pupkin Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-04-21 13:36:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smeqapbel6klutxfecmnvw5kbufe3a5ueplwyg74bavbykpaxfpq._file
Verdict:
malicious
Label(s):
pupkinstealer
Create hunting rule
Similar samples:
0eb85e60089e1fc934d86d3f02ac7b836c08f168f6ec34a8b92691ec464e4d51
PupkinStealer
315a1f8369939cfa07d9b3e24d514534096c3e4459bda10fd183eb1129bf8d01
PupkinStealer
34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c
PupkinStealer
9dc28d9009e1d6a240030460e6c4e27e2014842cd3e7ab0349d31dd13b5fdfb8
PupkinStealer
9f72c5446e5468463ddd5abaed5b82df3b5e58ef31280ae4a77ad53925c75f0e
PupkinStealer
b2a11246f3220f05b3137e56f23602f9d1a30b2b3b994e1671ed1b12f468f2a9
PupkinStealer
d30077ddf2ad7b2518c46808a3098bb8f5e8a4735c1a6fbdc60b09af4e784b60
PupkinStealer
dc87e3974829f25f56a0f1a822823670e0e29b5509995726e90fafe817ed5318
PupkinStealer
+ 230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/250430-llhatagq61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/13d562a9-79d5-4850-b9b9-03dc22ee6e16
Unpacked files
SH256 hash:
9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
MD5 hash:
fc99a7ef8d7a2028ce73bf42d3a95bce
SHA1 hash:
84dd5bc96170c98ad1d1ec90e8f09ec99e6dc9db
Link:
https://www.unpac.me/results/78f0fc3f-0051-4f17-be5a-04118e731b64/
SH256 hash:
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
MD5 hash:
a999d7f3807564cc816c16f862a60bbe
SHA1 hash:
1ee724daaf70c6b0083bf589674b6f6d8427544f
Link:
https://www.unpac.me/results/78f0fc3f-0051-4f17-be5a-04118e731b64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5217/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments