MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
SHA3-384 hash: 3673ee9ddb43d16fd78a1949efe3753b7a7aa0d0c5736506c74e268fbac73d524afdfb39876e609ef2b1fa6c11880452
SHA1 hash: a7378cd7d66fb6949e19c2afb2908371a1f544f2
MD5 hash: 7dcb1b7a6dbccbb6509a0d6cefa96098
humanhash: bravo-idaho-mississippi-november
File name:d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
Download: download sample
Signature Expiro
Create hunting rule
File size:1'451'008 bytes
First seen:2025-06-09 13:22:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c9e228643bd269d0492eb7418f0be01 (1 x Amadey, 1 x Expiro)
ssdeep 24576:7VGGTWBZhoIFEJmKQiP6BukZNyuKLiw1D:5GyWBZCIFEJreukLyuaiw5
Threatray 139 similar samples on MalwareBazaar
TLSH T11F65015536C080B3D6A3193449F0A670AA7DFD341F604ADFB3942B2E6E746D29D39723
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 00ca80c2c2808200 (36 x njrat, 4 x AsyncRAT, 4 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
armsvc.exe
Verdict:
Malicious activity
Analysis date:
2025-06-08 09:17:33 UTC
Tags:
m0yv
Link:
https://app.any.run/tasks/3a245cbc-985a-43ab-89c5-6a3e2ebdcfcb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8092/
Detection(s):
SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846e07307b5e8c1cfe5db23
Tags:
shellcode dropper expiro blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
Searching for synchronization primitives
Modifying a system executable file
Connection attempt to an infection source
Launching a process
Creating a file in the system32 subdirectories
Loading a system driver
Modifying a system file
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Expiro.Generic
Link:
https://www.hybrid-analysis.com/sample/d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
Malware family:
Expiro
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f56bd0de-d1e1-457f-b47a-c622a7ad5587
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709644
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709644 Sample: GuDShhkERw.exe Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 27 zlenh.biz 2->27 29 yunalwv.biz 2->29 31 38 other IPs or domains 2->31 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 6 GuDShhkERw.exe 1 2->6         started        11 TieringEngineService.exe 2->11         started        13 armsvc.exe 1 2->13         started        15 19 other processes 2->15 signatures3 process4 dnsIp5 33 yunalwv.biz 104.156.155.94, 49754, 49763, 49778 SRCACCESSUS United States 6->33 35 myups.biz 165.160.15.20, 49760, 80 CSCUS United States 6->35 41 9 other IPs or domains 6->41 17 C:\Windows\System32\wbengine.exe, PE32+ 6->17 dropped 19 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 6->19 dropped 21 C:\Windows\System32\vds.exe, PE32+ 6->21 dropped 25 113 other malicious files 6->25 dropped 53 Drops executable to a common third party application directory 6->53 55 Infects executable files (exe, dll, sys, html) 6->55 57 Creates files inside the volume driver (system volume information) 11->57 59 Contains functionality to behave differently if execute on a Russian/Kazak computer 11->59 37 parkingpage.namecheap.com 91.195.240.19, 49734, 49735, 80 SEDO-ASDE Germany 13->37 39 anpmnmxo.biz 192.64.119.165, 49732, 49733, 80 NAMECHEAP-NETUS United States 13->39 43 4 other IPs or domains 13->43 23 C:\Windows\System32\sppsvc.exe, PE32+ 13->23 dropped 61 Found direct / indirect Syscall (likely to bypass EDR) 15->61 file6 signatures7
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2/
Threat name:
Win32.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2025-06-08 09:34:34 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2n7aztmp7eobyk7n35fa6bytffjov2cms366se5apdtwkkbkaxba._file
Verdict:
malicious
Label(s):
m0yv
Create hunting rule
expiro
Create hunting rule
Similar samples:
301dc94eb5d63a0fcd4a53c6b378d5d20ae42d0e56e0a5ab584f0baa59b5c8d6
Expiro
39c3b1276f2519a918613c7c33662a21ed9453482d40692b872b36c40933ffe3
Expiro
3a4bf749beed4f07deb352b6e0faf28c5c2f28d62374a8bbb3eeeb67b1096851
Expiro
463a99c4d82f346dd9cb1236df6c6acd9dc5f5df50467848efa167b59c635120
Expiro
54a0df8fb6dc686b5d58cbffe89288783ed46ab6d067d6e67446efa61bc0e982
Expiro
83aae40b4302b1f8ff78d0e9cb375571979139ffa1e870f79ccb4f861bfc396b
Expiro
8adc7f22f7963685c41369d9231e1ee62d2e713b875baafd32986492f1f71c5f
Expiro
a06f961f856857eea5b506b9bbf220df937bf7778246cc72e502c451e5311621
Expiro
d26d1b6211cc74b45b838e9909400b18a2866054ea0452ce8ff420593935b317
Expiro
d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
Expiro
error
Expiro
+ 129 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250609-qm4yesyxhv/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
expiro
YARA:
n/a
Link:
https://app.threat.zone/submission/da3923e0-94b6-40e5-aad4-3e8b62bf929d
Unpacked files
SH256 hash:
d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2
MD5 hash:
7dcb1b7a6dbccbb6509a0d6cefa96098
SHA1 hash:
a7378cd7d66fb6949e19c2afb2908371a1f544f2
Link:
https://www.unpac.me/results/5bb7afdb-3ee6-4d32-81f7-51c1bebf3be0/
SH256 hash:
801ddcf77fc3c616f96b28b8a82e5cd9f0bc8f1b16dacc51ce676f1383f01350
MD5 hash:
be15f3f3b6d8236834514c202a3e83ed
SHA1 hash:
6b5ff39f87342e8c083b6257d785a1c9bd3844b2
Link:
https://www.unpac.me/results/5bb7afdb-3ee6-4d32-81f7-51c1bebf3be0/
SH256 hash:
be56a226a0a0ebb6ba002c1a20d11966d39eb8b9baf8317a6ecc93b833d87125
MD5 hash:
3cf085e5a1b66ea68f331ff033be2717
SHA1 hash:
bfe79bbc3ec6e586f4b3033fd98f6ce8c18d7114
Link:
https://www.unpac.me/results/5bb7afdb-3ee6-4d32-81f7-51c1bebf3be0/
SH256 hash:
2b6bb9637f7134c2eccd8b4dc740d1445fac04710abc04f8823bce2b63042ac9
MD5 hash:
6fa615f675dd4a68b9a1d527effc5d80
SHA1 hash:
7901c4dad10c87456b8b06ec4bea3a50f822b934
Link:
https://www.unpac.me/results/5bb7afdb-3ee6-4d32-81f7-51c1bebf3be0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d37e0ccd8ff91c1c2beddf4a0f07132952eae84c96fde913a078e765282a05c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Windows_Trojan_M0yv_92f66467
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8092/

Comments