MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Expiro

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments

SHA256 hash:	cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5
SHA3-384 hash:	4fc7e90eb6e784023fac289b7ff46eb3737e24abb3e1489ee898e3de6354942ee7061bb875c8dfafc06436df402020e8
SHA1 hash:	e6bf5b097c1d44fab3d59b311d88c4468a56d498
MD5 hash:	a430da7ef601bfce5a5b35978133b674
humanhash:	washington-mexico-three-kitten
File name:	Approved pending invoices.exe
Download:	download sample
Signature	Expiro Create hunting rule
File size:	1'803'776 bytes
First seen:	2026-04-01 07:29:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1895460fffad9475fda0c84755ecfee1 (441 x Formbook, 145 x AgentTesla, 72 x a310Logger)
ssdeep	49152:jPVtxLZeJbInQRa6DI+TNDDmg27RnWGj:ztYbInQNpDD527BWG
Threatray	1'597 similar samples on MalwareBazaar
TLSH	T1EE85E0027381D062FFAB91734B5AF6115ABD7A260123A61F13981D7EFE701B1463E7A3
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'644 x Formbook, 1'203 x CredentialFlusher, 907 x AgentTesla)
Reporter	adrian__luca
Tags:	exe Expiro

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

Approved pending invoices.exe

Verdict:

Malicious activity

Analysis date:

2026-04-01 07:38:19 UTC

Tags:

evasion snake keylogger telegram stealer spyware netreactor

Link:

https://app.any.run/tasks/03ec7611-d55f-4986-9356-f23b49511c60

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ccc9bc3a18a6e1ddf039a4

Tags:

autoit expiro emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Expiro.Generic

Link:

https://www.hybrid-analysis.com/sample/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-03-12T23:36:00Z UTC

Last seen:

2026-03-25T08:28:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bdc91656-04a2-4fc6-8324-fbd5b7ec838a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5/

Verdict:

Malicious

Threat:

Family.M0YV

Link:

https://tip.neiki.dev/file/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

Threat name:

Win32.Virus.Expiro

Status:

Malicious

First seen:

2026-03-13 12:04:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 36 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zvq6xflaxxad4qjmdfznswg22unfbtj5uxxytjsdxm63siar3psq._file

Verdict:

malicious

Label(s):

expiro

unc_loader_001

asyncrat

Expiro

2ae5d7a2c53dae715a36f67b8cdf5b6f861acb5b79792a74d34a1bcba03fd2ba

Expiro

2cffa345bef02044e2462f4c02075e67bbe742b44c18916715cad3071f015903

Expiro

3fdee37db1ff6a12e661722be3f41328fad0de6d6191663e00e4ba278e66c92c

Expiro

8acc015652b5b580ffeeda6878751eaa3c412f1b34e856275efd42fd86851d0b

Expiro

e8c96e9b3d270abd9522f17ab7d493d91099e9b0d637b792d686b6536a59ec7e

Expiro

error

Expiro

+ 1'587 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/260401-jb7rlscw6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Browser Information Discovery

Program crash

AutoIT Executable

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Unpacked files

SH256 hash:

cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

MD5 hash:

a430da7ef601bfce5a5b35978133b674

SHA1 hash:

e6bf5b097c1d44fab3d59b311d88c4468a56d498

Link:

https://www.unpac.me/results/6b4aebf0-e709-44c8-b33c-1c9bec57b8e3/

SH256 hash:

6b5b4253666f59956432b92ae5390665bed7b3449c868dd6ca8fc8d6aa8375cd

MD5 hash:

b438c5557c0c1c2d08c2cdbdf3143cd3

SHA1 hash:

ccbdd54033caa4e4d90c9e66debda1f9265a6250

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/6b4aebf0-e709-44c8-b33c-1c9bec57b8e3/

SH256 hash:

1734ee21af6471112c2ad999386e296943524d692a8297eb190896c4c34895c7

MD5 hash:

4429265db4ad438a257b2ba9afd742dc

SHA1 hash:

57fcf2bc657191561e0e79a92ed49547a07e5f78

Detections:

win_404keylogger_g1

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/6b4aebf0-e709-44c8-b33c-1c9bec57b8e3/

SH256 hash:

e86d720b1cdead37796d3ef82183bb7c13ffab0e2eb086aa4c5b70233545ca0a

MD5 hash:

1cb84d5c6363accb83f8f1e68f1251fb

SHA1 hash:

fa30307ed8e36474c2cace65104472b1428ffea6

Detections:

win_404keylogger_g1

SUSP_OBF_NET_Reactor_Indicators_Jan24

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/6b4aebf0-e709-44c8-b33c-1c9bec57b8e3/

Malware family:

Expiro

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cd61eb9560bd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Expiro

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Virus_Expiro_84e99ff0 Create hunting rule
Author:	Elastic Security

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Expiro

exe cd61eb9560bdc03e412c1972d958dad51a50cd3da5ef89a643bb3db92011dbe5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/60001/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample