MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e
SHA3-384 hash: 9c255eb26b1dc64b063ac3412bb1ee1bbfe602fd8d623b5949f5f4de7d7375343b27a05de2dbbd702037a4be94c74bdc
SHA1 hash: f7108ada5624c86ef377b0e8b146ee9c514bb5b7
MD5 hash: 6205e6d1cd62d337a9da862ff82d5e13
humanhash: blossom-pip-illinois-washington
File name:gh2clMX.exe
Download: download sample
File size:13'106'374 bytes
First seen:2025-12-11 13:57:00 UTC
Last seen:2025-12-11 15:48:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (52 x BlankGrabber, 26 x Efimer, 22 x NetSupport)
ssdeep 393216:egcDwGaa5wEMiuHClcuCe6mdUSCMy14zwAnc:YiaGziuilJCe9qJME4zwAnc
TLSH T1AAD6331853D009F6FDF7C53DE7225995E37678127B62C9EB83A042C01C635E62B3A3A6
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 29969696969696e8
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
95
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/82d5777f-5691-4fb8-bb59-c2fb42a1fef7/
Malware family:
n/a
ID:
1
File name:
gh2clMX.exe
Verdict:
Malicious activity
Analysis date:
2025-12-11 13:59:54 UTC
Tags:
pastebin telegram auto-reg python pyinstaller ims-api generic crypto-regex
Link:
https://app.any.run/tasks/d3e717b6-6976-405d-9da1-3c7f0f98c54a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44293/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693acdc9bde6a3e59710478c
Tags:
installer extens shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/693acdc41eac7b9b76a5d4e9/reports/428b00cb-5e06-4502-bbe3-babe3d5118dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-10T13:51:00Z UTC
Last seen:
2025-12-12T21:47:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.AntiAV.dcyc Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f906e13e-0d6d-46c7-9839-9782feb0c982
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1830943
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Connects to a pastebin service (likely for C&C)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830943 Sample: gh2clMX.exe Startdate: 11/12/2025 Architecture: WINDOWS Score: 92 75 pastebin.com 2->75 77 api.telegram.org 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected MicroClip 2->83 89 3 other signatures 2->89 9 gh2clMX.exe 45 2->9         started        13 windows local.exe 45 2->13         started        15 windows local.exe 45 2->15         started        signatures3 85 Connects to a pastebin service (likely for C&C) 75->85 87 Uses the Telegram API (likely for C&C communication) 77->87 process4 file5 53 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->55 dropped 57 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->57 dropped 65 23 other files (none is malicious) 9->65 dropped 93 Found pyInstaller with non standard icon 9->93 17 gh2clMX.exe 3 5 9->17         started        59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->59 dropped 61 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 13->61 dropped 63 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 13->63 dropped 67 23 other files (none is malicious) 13->67 dropped 22 windows local.exe 3 13->22         started        69 26 other files (none is malicious) 15->69 dropped 24 windows local.exe 3 15->24         started        signatures6 process7 dnsIp8 71 api.telegram.org 149.154.167.220, 443, 49695 TELEGRAMRU United Kingdom 17->71 73 pastebin.com 104.20.29.150, 443, 49688, 49697 CLOUDFLARENETUS United States 17->73 45 C:\Users\user\AppData\...\windows local.exe, PE32+ 17->45 dropped 47 C:\...\windows local.exe:Zone.Identifier, ASCII 17->47 dropped 91 Adds extensions / path to Windows Defender exclusion list (Registry) 17->91 26 powershell.exe 23 17->26         started        29 cmd.exe 1 17->29         started        49 C:\Users\user\AppData\Roaming\...\windows.exe, PE32+ 22->49 dropped 31 cmd.exe 22->31         started        51 C:\Users\user\AppData\...\windows seruc.exe, PE32+ 24->51 dropped 33 cmd.exe 1 24->33         started        file9 signatures10 process11 signatures12 95 Loading BitLocker PowerShell Module 26->95 35 WmiPrvSE.exe 26->35         started        37 conhost.exe 26->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6205e6d1cd62d337a9da862ff82d5e13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e/
Verdict:
Malicious
Threat:
Trojan.Win32.AntiAV
Link:
https://tip.neiki.dev/file/d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 21:54:11 UTC
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2574wg4vwxxkd26ikp2tew3qgndllwl246vrqzshzqmkg6rndcha._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence pyinstaller
Link:
https://tria.ge/reports/251211-q9el2ssqes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f4b55011-534e-4a64-a1ac-03f3d757032d
Unpacked files
SH256 hash:
d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e
MD5 hash:
6205e6d1cd62d337a9da862ff82d5e13
SHA1 hash:
f7108ada5624c86ef377b0e8b146ee9c514bb5b7
Link:
https://www.unpac.me/results/3a5803cf-494e-416e-9632-ab070034107b/
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/3a5803cf-494e-416e-9632-ab070034107b/
SH256 hash:
4ae581aa4e65fef9f92c84c428c990892da538b4d9289592df51fa31fd879770
MD5 hash:
6ca946631d8011ee1c2813637efe06fe
SHA1 hash:
46feb03c544c38d616d9af02ced161f2c44f8296
Link:
https://www.unpac.me/results/3a5803cf-494e-416e-9632-ab070034107b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d77fcb1b95b5eea1ebc853f5325b703346b5d97ae7ab186647cc18a37a2d188e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3731055/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44293/
  
URLhaus
https://urlhaus.abuse.ch/url/3731616/

Comments