MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PythonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696
SHA3-384 hash:	6b349e7820ce70d395a08ece7461d181228310199c4e455e0c46b567d3e9e12015e87542b3fef6ec69085bcd1ee4f1b7
SHA1 hash:	135ab63662beab2569cbcf2df09c466cd5cbbe5e
MD5 hash:	d31a5b680e14b82d21604f96f7fcaf59
humanhash:	bacon-black-early-four
File name:	cluesh fixed.exe
Download:	download sample
Signature	PythonStealer Create hunting rule
File size:	14'858'240 bytes
First seen:	2025-06-04 15:52:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e669ec4d83bbf79f71f6a0bc9f9c6a7d (2 x PythonStealer)
ssdeep	196608:lx4h1qml1Zf2FEB/AR43yB27EVHvkBCPcqINL0y26eEOqIEmImNizSPboXiTsCwH:mzhf9BYR4fYR+CPcDuy2xERmVN/+i8H
TLSH	T1FDE63308A13E0BF1F2A3C73E8D654DA7E2F578E31781D7275380A2B56E632E0C566752
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	00e9cc6c64f8e902 (1 x PythonStealer)
Reporter	burger
Tags:	exe PythonStealer TroxStealer

Intelligence

File Origin

# of uploads :

# of downloads :

489

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ClueshRaider-main.zip

Verdict:

Suspicious activity

Analysis date:

2025-06-03 05:28:43 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/d3c75c73-3729-4f02-b234-cfce2140fdc6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7321/

Detection(s):

PUA.Win.Packer.Nuitka-9992781-0

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68406c918bd5d68a12e532b0

Tags:

extens virus sage

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Running batch commands

Creating a process with a hidden window

Delayed reading of the file

Launching cmd.exe command interpreter

Сreating synchronization primitives

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

banker expand lolbin microsoft_visual_cc nuitka packed packed packer_detected

Link:

https://www.filescan.io/uploads/68406c02fd02ed5e0598195b/reports/3e4273b8-f154-4024-8e26-66ebf46f20a8/overview

Verdict:

Malicious

Labled as:

Midie.Generic

Link:

https://www.hybrid-analysis.com/sample/bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d2bc9ce7-aab0-4708-ba10-62ba16b24ec6

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1706218

Signature

Found pyInstaller with non standard icon

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696/

Threat name:

Win64.Trojan.Midie

Status:

Malicious

First seen:

2025-06-02 05:29:18 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xohvzyebinvtcvvyftcneuz5vs2jvwrrjusywefk2ohvbrhok2la._file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/250604-tbtvvscn7y/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ade7cb7c-76ad-4d9c-b3b8-3790b3f80c3a

Unpacked files

SH256 hash:

bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696

MD5 hash:

d31a5b680e14b82d21604f96f7fcaf59

SHA1 hash:

135ab63662beab2569cbcf2df09c466cd5cbbe5e

Link:

https://www.unpac.me/results/8fa98236-96a8-4cee-9324-928236848cfc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	nuitka_py_compiler Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	Executable compiled with Nuitka Python Compiler

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7321/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::GetFileAttributesW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample