MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Efimer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
SHA3-384 hash: 05936fabd2fef189b58ca16286e27df292103bae6e4882b886ac3a318f88cb19f08ce65afb8870fd513ac6d637518983
SHA1 hash: 1887ba256da9261835e011c5696cdf46b1eff294
MD5 hash: 6004689475f489f66a6f75fdd64c8b33
humanhash: colorado-saturn-apart-florida
File name:𝑎𝐝𝐨𝐛𝐞_𝐩𝐨𝑟𝑡a𝐛𝑙𝐞_𝑣𝟟35𝟞_𝑏𝐲r_x3.exe
Download: download sample
Signature Efimer
Create hunting rule
File size:12'616'094 bytes
First seen:2025-11-19 15:04:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (51 x BlankGrabber, 26 x Efimer, 22 x NetSupport)
ssdeep 393216:qJgThuPwPuGJ87trh+TgrMWXMCHWUj+NcuI3/PjuUwO:qJnUq71h+T+XMb8+6H/rAO
TLSH T1EBD6335859D042EAEE73407CAED13224E6B8F8B61735CA9F87B90352AE571D00C3E75B
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon d4f0d4d8c8e47130 (2 x Efimer)
Reporter aachum
Tags:Efimer exe


Avatar
iamaachum
https://filesprograms.digital/dl.php?dl=YWRvYmVfcG9ydGFibGVfdk5OTk5fQkFMX3gzLmV4ZQ%3D%3D => https://cieharryalbert.fr/?dl=YWRvYmVfcG9ydGFibGVfdk5OTk5fQkFMX3gzLmV4ZQ%3D%3D

Efimer C2: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3ddf5393-54a2-4a4f-9b32-d12dc1ecbaad
Verdict:
Malicious activity
Analysis date:
2025-11-19 15:08:39 UTC
Tags:
python evasion pyinstaller
Link:
https://app.any.run/tasks/3ddf5393-54a2-4a4f-9b32-d12dc1ecbaad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38676/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ddc7e27c5936d7d0dc238
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/691ddc79bb583c299ad44c60/reports/3f0b12dc-dd29-45fb-8b8c-6651a3fb9ea7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
Verdict:
Clean
File Type:
exe x64
First seen:
2025-11-20T00:49:00Z UTC
Last seen:
2025-11-20T01:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/47a51d97-fe13-47ae-9178-bd8f96394f2d
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad.troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1816965
Signature
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1816965 Sample: dc1b#Ud835#Udc59#Ud835#Udc1... Startdate: 19/11/2025 Architecture: WINDOWS Score: 96 75 ipinfo.io 2->75 89 Connects to many ports of the same IP (likely port scanning) 2->89 91 Sigma detected: WScript or CScript Dropper 2->91 93 Joe Sandbox ML detected suspicious sample 2->93 95 5 other signatures 2->95 9 dc1b#Ud835#Udc59#Ud835#Udc1e_#Ud835#Udc63#Ud835#Udfdf35#Ud835#Udfde_#Ud835#Udc4f#Ud835#Udc32r_x3.exe 26 2->9         started        13 wscript.exe 2->13         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->61 dropped 63 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->63 dropped 65 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->65 dropped 67 14 other files (none is malicious) 9->67 dropped 97 Uses schtasks.exe or at.exe to add and modify task schedules 9->97 99 Adds a directory exclusion to Windows Defender 9->99 101 Found pyInstaller with non standard icon 9->101 15 dc1b#Ud835#Udc59#Ud835#Udc1e_#Ud835#Udc63#Ud835#Udfdf35#Ud835#Udfde_#Ud835#Udc4f#Ud835#Udc32r_x3.exe 8 9->15         started        103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->103 105 Suspicious execution chain found 13->105 19 svcup.exe 13->19         started        22 curl.exe 13->22         started        24 svcup.exe 13->24         started        signatures6 process7 dnsIp8 69 C:\Users\Public\Music\uhele\svcup.exe, PE32+ 15->69 dropped 71 C:\Users\Public\Music\uhele\uyogi.xml, XML 15->71 dropped 73 C:\Users\Public\Music\uhele\uyogi.js, ASCII 15->73 dropped 87 Adds a directory exclusion to Windows Defender 15->87 26 cmd.exe 1 15->26         started        29 cmd.exe 1 15->29         started        31 cmd.exe 1 15->31         started        39 5 other processes 15->39 77 77.174.62.158, 43261, 49732 NL-CONCEPTSNL Netherlands 19->77 79 162.247.74.217, 443, 49728 CALYX-ASUS United States 19->79 81 2 other IPs or domains 19->81 33 conhost.exe 19->33         started        35 conhost.exe 22->35         started        37 conhost.exe 24->37         started        file9 signatures10 process11 dnsIp12 107 Adds a directory exclusion to Windows Defender 26->107 42 powershell.exe 22 26->42         started        45 conhost.exe 26->45         started        47 powershell.exe 23 29->47         started        49 conhost.exe 29->49         started        51 powershell.exe 23 31->51         started        53 conhost.exe 31->53         started        83 ipinfo.io 34.117.59.81, 443, 49723 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 39->83 85 127.0.0.1 unknown unknown 39->85 55 powershell.exe 39->55         started        57 powershell.exe 39->57         started        59 6 other processes 39->59 signatures13 process14 signatures15 109 Loading BitLocker PowerShell Module 47->109
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6004689475f489f66a6f75fdd64c8b33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c/
Verdict:
Malicious
Threat:
Family.EFIMER
Link:
https://tip.neiki.dev/file/d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-19 15:04:29 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
3 of 36 (8.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jd3her4min5x33ghqz76phvobznupraovro6sbd24nkthmxnnwa._file
Result
Malware family:
efimer
Create hunting rule
Score:
  10/10
Tags:
family:efimer execution persistence pyinstaller trojan
Link:
https://tria.ge/reports/251119-sfsypacq4v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Efimer
Efimer family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6461d0c7-7b07-41cc-b93c-72aa49bc2a29
Unpacked files
SH256 hash:
d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
MD5 hash:
6004689475f489f66a6f75fdd64c8b33
SHA1 hash:
1887ba256da9261835e011c5696cdf46b1eff294
Link:
https://www.unpac.me/results/85a794a5-0710-4d9c-a142-447ea62e1623/
SH256 hash:
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
MD5 hash:
862f820c3251e4ca6fc0ac00e4092239
SHA1 hash:
ef96d84b253041b090c243594f90938e9a487a9a
Link:
https://www.unpac.me/results/85a794a5-0710-4d9c-a142-447ea62e1623/
SH256 hash:
b9e3da3b27a07ed153fd09102ee9204389adf0edfd34fb753261501898e35c64
MD5 hash:
c22e172f9d55595275b8a91989ece783
SHA1 hash:
e4154aa5ee7704b02130bb737df0bcf650d289ca
Detections:
SUSP_OBF_PyArmor_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/85a794a5-0710-4d9c-a142-447ea62e1623/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d247b3923c62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Efimer

Executable exe d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c

(this sample)

  
Link
https://tria.ge/251119-rx4wvacn2v/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38676/

Comments