MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4
SHA3-384 hash:	08a88f3f345037b014b3f658de35a7fd978dd4c2d40e873f65793d6e7ac5b9f2dbaa41e73ba71189a416d93aeaa67f55
SHA1 hash:	f69fdf685bc0a2f51aceafe516579c50bc830330
MD5 hash:	1099baa9e7504dffe917eeb846c16943
humanhash:	apart-red-mango-high
File name:	CookiesGrabber.exe
Download:	download sample
File size:	11'675'530 bytes
First seen:	2025-06-21 20:21:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	064967a99ade726316dc79a4a929fe96 (5 x QuasarRAT, 2 x PythonStealer, 1 x njrat)
ssdeep	196608:tka85DbJrteFCugl0Y1surHmoFP/XRLDmeiYnz4gG2/Tsj+cOnOxd:z85vzaCuFesuCAXVmeiYnz4gC
TLSH	T1E2C63398239406D7FCE6DB39A962C8B2D355BE171B16C5C383F0D9A21D232C1673BB12
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter	AntiSkidding
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

460

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CookiesGrabber.exe

Verdict:

Malicious activity

Analysis date:

2025-06-21 18:26:57 UTC

Tags:

python

Link:

https://app.any.run/tasks/8d477ec6-bd8e-496d-a8c3-981c48862b4f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10396/

Detection(s):

SecuriteInfo.com.Generic.PySpy.B.C2E3BCD5.19792.12890.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6857158d32ed47a3a8d674aa

Tags:

installer extens remo

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Delayed reading of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin microsoft_visual_cc overlay overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/685714f03faf8fcd7d3a257f/reports/8938abe8-73a1-4705-953b-7247bbbf2c89/overview

Verdict:

Malicious

Labled as:

PySpy.B.Generic

Link:

https://www.hybrid-analysis.com/sample/b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/30dd5ed9-6c9e-432c-b4e4-c41dd01b4cba

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1720012

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/1099baa9e7504dffe917eeb846c16943

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-06-21 20:24:20 UTC

File Type:

PE+ (Exe)

Extracted files:

928

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wujvol54ifkhc7dshvjn26j4ie6zr3zxb35qkd7yacujzdoncxca._file

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller spyware stealer

Link:

https://tria.ge/reports/250621-y6vsvstqv4/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/745ff9b3-efb9-43b4-87eb-410a09f5863a

Unpacked files

SH256 hash:

b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4

MD5 hash:

1099baa9e7504dffe917eeb846c16943

SHA1 hash:

f69fdf685bc0a2f51aceafe516579c50bc830330

Link:

https://www.unpac.me/results/d73e5c4f-7ec0-47f6-976f-a66cddd4522a/

SH256 hash:

007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe

MD5 hash:

8d4805f0651186046c48d3e2356623db

SHA1 hash:

18c27c000384418abcf9c88a72f3d55d83beda91

Link:

https://www.unpac.me/results/d73e5c4f-7ec0-47f6-976f-a66cddd4522a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b513572fbc4154717c723d52dd793c413d98ef370efb050ff800a89c8dcd15c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	exela Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked exela stealer malware samples.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10396/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample