MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Expiro

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd
SHA3-384 hash:	d0fb11e86ce833feacacdd3ae730c468f8cfeeb521c4fe3704e1a7e2de1b5e10196259bb338179c78b75d5921fa22695
SHA1 hash:	6b0f024c4c08c8ee43516f2ac8e3f30780f570b1
MD5 hash:	e06cc4d6d048ae9c8c0636135278d807
humanhash:	table-mountain-echo-maine
File name:	b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd.exe
Download:	download sample
Signature	Expiro Create hunting rule
File size:	1'838'080 bytes
First seen:	2026-03-31 03:42:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	59dd7ae6bef680b839d5a65e314ee5ce (1 x CoinMiner, 1 x Expiro)
ssdeep	49152:hr/T43fxo3C9/C6WdiCNOYcsx4x8EVep:hrMpokC6+1ix8EVy
Threatray	276 similar samples on MalwareBazaar
TLSH	T1AE852324B6D68030E5B719324AF0E6B41A7CFC309F72895F57552A1FAAB04D1EA38377
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 17 x ValleyRAT)
Reporter	KnownSpotter
Tags:	exe Expiro

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd.exe

Verdict:

Malicious activity

Analysis date:

2026-03-31 03:33:30 UTC

Tags:

m0yv phishing

Link:

https://app.any.run/tasks/8084b8b9-9f7a-46db-bf21-1aaa5a012e41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/59823/

Detection(s):

SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cb40886363ca5d27efff28

Tags:

expiro trojan virus remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Modifying a system executable file

Creating a file in the Program Files subdirectories

Launching a service

Launching a process

Searching for synchronization primitives

Loading a system driver

Creating a window

Connection attempt to an infection source

Creating a file in the system32 subdirectories

Modifying an executable file

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun for a service

Query of malicious DNS domain

Infecting executable files

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Labled as:

Expiro.Generic

Link:

https://www.hybrid-analysis.com/sample/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-12T22:18:00Z UTC

Last seen:

2026-03-31T04:45:00Z UTC

Hits:

~10

Detections:

Virus.Win64.Moiva.a Virus.Win32.Moiva.a HEUR:Virus.Win32.Generic HEUR:Trojan.Win64.Kryplod.pef

Link:

https://opentip.kaspersky.com/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd/results?tab=lookup

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2631fed-8669-4f00-96c0-46004ad5d567

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/e06cc4d6d048ae9c8c0636135278d807

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd/

Verdict:

Malicious

Threat:

Family.M0YV

Link:

https://tip.neiki.dev/file/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd

Threat name:

Win32.Virus.Expiro

Status:

Malicious

First seen:

2026-01-14 10:27:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wjijh5sxj723fv7726d3jb6hdascp7sd2uwwufladssq742jcd6q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery ransomware spyware stealer

Link:

https://tria.ge/reports/260331-d9geesgs5w/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Enumerates connected drives

Executes dropped EXE

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd

MD5 hash:

e06cc4d6d048ae9c8c0636135278d807

SHA1 hash:

6b0f024c4c08c8ee43516f2ac8e3f30780f570b1

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

0840fefc1e736bb1f9fcfe5e793ed43f15be7491f8062aabdaf4efeb81a6e5a2

MD5 hash:

f5485e561bd78ebfd71f235f7c11ab5d

SHA1 hash:

09ec8170bdd9b3e6a91a818f0b6c777739bf8e9e

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

397502bb6250b2e28332e4a0c22684c40327bcb193719a4c0c0d60609718a51b

MD5 hash:

7a075e6a3b78b68ac5eca80c694476e4

SHA1 hash:

18f12c961527415eb34ca3c0cc9005dd6281b233

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

6b9cf6d9f8d661ca1de7f8fc7d2e2602d494ec429576583c9523582c8eb833bf

MD5 hash:

d34517d9691d8d370a25b19346a0787b

SHA1 hash:

5b6aa458f1d0759bee1238dc6e6f082f3d6e17fd

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

a6e396f7e632e6d2c2cb6e924505505016eed4a17ff8c88cbe2fba5833fe8839

MD5 hash:

8bc9478514d6ee4b7610f48d276e6a0f

SHA1 hash:

7e022daa6a4db92d6ac0b0762a2e188f7fcaf6a3

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

38b9be5e2a39ce48c22415ec3ff0afce4d436634f48dc33fc5abaf0d95449b01

MD5 hash:

f34130517925a4ae30b84f7c8f75ec68

SHA1 hash:

03bac7880c31551fb282cd0c7a03ae93901474b0

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

SH256 hash:

9146db104797655d5a84c55c612a87cb0eb359b4843812819a5f0f1fa9b8f6b0

MD5 hash:

33126747f897b974669735ea0ce3b955

SHA1 hash:

cd4d67ebf40bec88444e60e59e9f9f3acbd7015c

Link:

https://www.unpac.me/results/edfa32e7-0e32-4ac3-83e8-b11228b5a557/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Expiro

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_M0yv_92f66467 Create hunting rule
Author:	Elastic Security

Rule name:	win_m0yv_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59823/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample