MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2a8fc67ee43ce1bf1af64da8cf5798a81303121fae64e2dfd1386f483ce55ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 28 File information Comments

SHA256 hash: d2a8fc67ee43ce1bf1af64da8cf5798a81303121fae64e2dfd1386f483ce55ba
SHA3-384 hash: b3e67f21b01eff547b286f59a824df0451277bf4d4b4dd331325fe9ceb12b6f6c3dfdc6612b1ee03e2ada849d793d04e
SHA1 hash: b16e3a1c2333ecebdf35ca7afbe36bcd4938a49d
MD5 hash: d5c38c0a8c4444f9c37f4b56b6c5138e
humanhash: network-jig-thirteen-emma
File name:DiscordThemeTest#2.exe
Download: download sample
File size:7'205'089 bytes
First seen:2026-07-03 03:59:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ec7a9af8aea061f5934796a877e8f55
ssdeep 196608:cxajcbr+7JdWs/KdmdO5XiO8ZAJqAa2+r94iOpjb4:cxycf+7JBNdYXy0VYGRw
TLSH T1DC76333264E08479E4EA2B7E4639CBF4693E76150720EDCB53D82879C613AC1763D7E2
TrID 22.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win64 Executable (generic) (6522/11/2)
17.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.7% (.EXE) Win32 Executable (generic) (4504/4/1)
7.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (49 x PythonStealer, 28 x SVCStealer, 26 x CoinMiner)
Reporter Anonymous
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
146
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
Malware family:
n/a
ID:
1
File name:
_d2a8fc67ee43ce1bf1af64da8cf5798a81303121fae64e2dfd1386f483ce55ba.exe
Verdict:
Malicious activity
Analysis date:
2026-07-03 04:05:47 UTC
Tags:
python pyinstaller upx openssl tool

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
installer extens shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Connection attempt
DNS request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dropper evasive expand installer-heuristic lolbin microsoft_visual_cc overlay packed packed packed pyinstaller pyinstaller reconnaissance
Verdict:
Malicious
Labled as:
Application.Wlan.CredentialDumper.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-02T19:11:00Z UTC
Last seen:
2026-07-04T18:42:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Disco.sb Backdoor.DiscoRat.HTTP.C&C HEUR:Trojan-Spy.Python.NullRAT.gen HEUR:Trojan-PSW.Python.Nuker.gen HEUR:Trojan-PSW.Python.Agent.gen HEUR:Trojan-PSW.Multi.Disco.gen NetTool.DiscoGetMe.HTTP.C&C
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Verdict:
Malicious
Threat:
Trojan-Spy.Python.NullRAT
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-02 16:52:13 UTC
File Type:
PE (Exe)
Extracted files:
1085
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery execution persistence pyinstaller ransomware spyware upx
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Contacts third-party web service commonly abused for C2
Enumerates connected drives
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
d2a8fc67ee43ce1bf1af64da8cf5798a81303121fae64e2dfd1386f483ce55ba
MD5 hash:
d5c38c0a8c4444f9c37f4b56b6c5138e
SHA1 hash:
b16e3a1c2333ecebdf35ca7afbe36bcd4938a49d
SH256 hash:
3a5a3440a1e7baa07999562e0f85a49456243466f46f5aa52568d7fa173d1551
MD5 hash:
9ad20a2ddafc2b37a108a382d1a760c7
SHA1 hash:
09ef975e177eddb8aaa83ae150fcc6228da3ecb2
SH256 hash:
5cb6522182cbf46982aee460e12d686b0f56f4c3e4bb29a8c60a775d5b8dd7b8
MD5 hash:
ef4d4d9fae516897637de43309e2c94f
SHA1 hash:
0a22498cc358fce3bebd0268803cdbe4998fe22b
SH256 hash:
562f036c5824d44c8813d73413d669d36ec1e34b204eec2b5bf1a945521eccd1
MD5 hash:
17eae3ede3ba4f463a883f7c74114e9d
SHA1 hash:
377c2bec03f39b068946f1202befdbe1ca2dc1da
SH256 hash:
28bde8e7c76b00b6075225332a01d897ffc36ec95fe93630c62f586a80d5b871
MD5 hash:
ca3215fccf2c31066b2d2ce16fec91fa
SHA1 hash:
6240052ba9f42f5e518a4fb925ecd8e1d36332d8
SH256 hash:
297f1702cc13070cd23bbc6912fa461b8d4a477da02d03152c97846310c8e218
MD5 hash:
e579ea61edfbb786eb43fd26076ad533
SHA1 hash:
6c0ee3d568384aa972660d297f3b78e29ced2c79
SH256 hash:
176390b76a7791686c27dc077bf0a981ab755861962604793a7201ae0f9b3020
MD5 hash:
3f43394808ac4129def9e7c336fe002b
SHA1 hash:
e38b2a012aff27d4d7dac6a8066dbc1bc1ca8392
SH256 hash:
61d127faf392449d67b9ad6a62be5b6ae38194f88da86e4cb4e45fa5af3090b5
MD5 hash:
6e1f234215aeffbd0219346e0e0f9d25
SHA1 hash:
f13c395614bd119df7c631db1ecd28b7e780af2b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MAL_packer_lb_was_detected
Author:0x0d4y
Description:Detect the packer used by Lockbit4.0
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Author:malware-lu
Rule name:upx_largefile
Author:k3nr9
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WHIRLPOOL_Constants
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments