MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
SHA3-384 hash: dd08a762c853c2177d353d8a0e4ed169485ca337d4b7ef5f9bc822a3cb92765ce867908a4897cd720da583efefc20a19
SHA1 hash: 82d3884c7cc6219a9e9b921867d01dff61c333b8
MD5 hash: 790eaa3935acdab3dedd831ae78ca610
humanhash: tennessee-finch-ink-lithium
File name:Volcano_Installer.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:93'689'975 bytes
First seen:2025-10-16 17:53:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (41 x BlankGrabber, 20 x Efimer, 17 x PythonStealer)
ssdeep 1572864:DoMo80EWxlxWjlOkiqOv8im2AzAE7Qbli0XiYgj+h58sMwbxZEmBwUWJhI:Dd30EWxjiOknOv8i3mWw0p5PrVwM
TLSH T10828338D317884B4CD9A38F36CECCA65D950946A8B60CBD6C3A417606FB7199BC3DF21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe pysilon PythonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Volcano_Installer.exe
Verdict:
Malicious activity
Analysis date:
2025-10-16 17:52:33 UTC
Tags:
pyinstaller python anti-evasion uac
Link:
https://app.any.run/tasks/6c85e4f7-d792-49c3-86e1-b550704b304e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f130de0cffb32442986a62
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/68f13123df5cb32bf1f01f04/reports/f0116a6e-986d-45cd-8b81-81c17f4cfa24/overview
Verdict:
Malicious
Labled as:
PYC/Disgrab.D.gen
Link:
https://www.hybrid-analysis.com/sample/a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-16T14:49:00Z UTC
Last seen:
2025-10-18T12:56:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Python.Agent.gen HEUR:Trojan-PSW.Multi.Disco.gen HEUR:Trojan.Python.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb HEUR:Trojan-PSW.Python.Nuker.gen HEUR:Trojan.Python.Pytr.db Worm.Win32.Cridex.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-Spy.Python.Agent.gen HEUR:Trojan-PSW.Win32.Disco.gen HEUR:Trojan.Python.Yapt.c HEUR:Trojan.Python.Tpyc.i HEUR:Trojan.Python.Pytr.k not-a-virus:HEUR:PSWTool.Python.LaZagne.gen not-a-virus:HEUR:PSWTool.Python.BroPass.gen
Link:
https://opentip.kaspersky.com/a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7/results?tab=lookup
Result
Threat name:
Python Stealer, Discord Token Stealer, P
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796756
Signature
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Discord Token Stealer
Yara detected Generic Python Stealer
Yara detected PySilon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796756 Sample: Volcano_Installer.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 121 discord.com 2->121 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected PySilon Stealer 2->129 131 Yara detected Discord Token Stealer 2->131 133 3 other signatures 2->133 13 Volcano_Installer.exe 1001 2->13         started        17 Volcano.exe 2->17         started        signatures3 process4 file5 105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 13->105 dropped 107 C:\...\unuran_wrapper.cp311-win_amd64.pyd, PE32+ 13->107 dropped 109 C:\...\_stats_pythran.cp311-win_amd64.pyd, PE32+ 13->109 dropped 117 301 other files (42 malicious) 13->117 dropped 155 Adds a directory exclusion to Windows Defender 13->155 157 Writes many files with high entropy 13->157 19 Volcano_Installer.exe 2 3 13->19         started        111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 17->111 dropped 113 C:\...\unuran_wrapper.cp311-win_amd64.pyd, PE32+ 17->113 dropped 115 C:\...\_stats_pythran.cp311-win_amd64.pyd, PE32+ 17->115 dropped 119 272 other files (40 malicious) 17->119 dropped 23 Volcano.exe 17->23         started        signatures6 process7 file8 95 C:\Users\user\Volcano\Volcano.exe, PE32+ 19->95 dropped 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->139 141 Adds a directory exclusion to Windows Defender 19->141 25 cmd.exe 19->25         started        28 cmd.exe 1 19->28         started        30 powershell.exe 19->30         started        32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        36 cmd.exe 23->36         started        38 4 other processes 23->38 signatures9 process10 signatures11 143 Uses cmd line tools excessively to alter registry or file data 25->143 40 Volcano.exe 25->40         started        50 3 other processes 25->50 44 conhost.exe 28->44         started        145 Loading BitLocker PowerShell Module 30->145 46 conhost.exe 30->46         started        48 ComputerDefaults.exe 32->48         started        52 3 other processes 32->52 54 2 other processes 34->54 56 2 other processes 36->56 58 7 other processes 38->58 process12 file13 97 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 40->97 dropped 99 C:\...\unuran_wrapper.cp311-win_amd64.pyd, PE32+ 40->99 dropped 101 C:\...\_stats_pythran.cp311-win_amd64.pyd, PE32+ 40->101 dropped 103 316 other files (42 malicious) 40->103 dropped 147 Adds a directory exclusion to Windows Defender 40->147 149 Writes many files with high entropy 40->149 60 Volcano.exe 40->60         started        64 Volcano.exe 48->64         started        151 UAC bypass detected (Fodhelper) 56->151 signatures14 process15 dnsIp16 123 discord.com 162.159.138.232, 443, 49693, 49697 CLOUDFLARENETUS United States 60->123 125 127.0.0.1 unknown unknown 60->125 153 Adds a directory exclusion to Windows Defender 60->153 67 powershell.exe 60->67         started        70 cmd.exe 60->70         started        87 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 64->87 dropped 89 C:\...\unuran_wrapper.cp311-win_amd64.pyd, PE32+ 64->89 dropped 91 C:\...\_stats_pythran.cp311-win_amd64.pyd, PE32+ 64->91 dropped 93 253 other files (37 malicious) 64->93 dropped 72 Volcano.exe 64->72         started        file17 signatures18 process19 signatures20 135 Loading BitLocker PowerShell Module 67->135 74 conhost.exe 67->74         started        76 conhost.exe 70->76         started        137 Adds a directory exclusion to Windows Defender 72->137 78 powershell.exe 72->78         started        81 cmd.exe 72->81         started        process21 signatures22 159 Loading BitLocker PowerShell Module 78->159 83 conhost.exe 78->83         started        85 conhost.exe 81->85         started        process23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
Gathering data
Verdict:
Malicious
Threat:
Family.PYSILON
Link:
https://tip.neiki.dev/file/a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
Threat name:
Win64.Trojan.PySpy
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 17:52:29 UTC
File Type:
PE+ (Exe)
Extracted files:
5541
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uw3lheydrfdcjivignjcztwebbpo3n2gm76iiofjpmpkkbaxw23q._file
Result
Malware family:
pysilon
Create hunting rule
Score:
  10/10
Tags:
family:pysilon defense_evasion execution persistence pyinstaller upx
Link:
https://tria.ge/reports/251016-wgk61sdp7v/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Enumerates VirtualBox DLL files
Verdict:
Malicious
Tags:
Win.Malware.Tedy-10036920-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ac038ab5-d9d1-4c0b-8800-33a48242bfe5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments