MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13d3152d522fe7ea494ea8d85ff5391ba73c76f520e38f1993c106d1de72054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash: e13d3152d522fe7ea494ea8d85ff5391ba73c76f520e38f1993c106d1de72054
SHA3-384 hash: ddcabf6ccce285c9f9516bc42b1844201c976b7dc12fbdb8986cd300f3f2091aff9581d0d4b8d5a08f4a075f761b2b6f
SHA1 hash: b0e3aa78fd2d4c568bed425220089095937c0a61
MD5 hash: 09aff59946b5dd035ebf238821c4cd64
humanhash: six-violet-white-green
File name:libcurl.dll
Download: download sample
File size:1'156'096 bytes
First seen:2026-07-13 11:50:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8447480e2cd13529de880ad35ebaeb26
ssdeep 24576:0aZm0S/Mpy3PEOJCEGnLuH58Z1tbeN2r6sfyjoB8Y:0aC/IycOp4iHcuDKQo
TLSH T13035331570A1C8FBC2D2873D83CD9B38B9A9BD8F00B4A4D5F8A09E1D525FB70127959E
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
172
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
libcurl.dll
Verdict:
No threats detected
Analysis date:
2026-07-13 11:50:42 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Tags:
malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug evasive exploit explorer lolbin masquerade mingw packed
Verdict:
Malicious
Labled as:
Win64/GenKryptik_AGeneric.EKV trojan
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-07-13T05:10:00Z UTC
Last seen:
2026-07-14T05:32:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
72 / 100
Signature
Contains functionality to bypass UAC (CMSTPLUA)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1941482 Sample: libcurl.dll.exe Startdate: 13/07/2026 Architecture: WINDOWS Score: 72 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected UAC Bypass using CMSTP 2->24 7 loaddll64.exe 1 2->7         started        process3 signatures4 26 Contains functionality to bypass UAC (CMSTPLUA) 7->26 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        14 rundll32.exe 7->14         started        16 35 other processes 7->16 process5 process6 18 rundll32.exe 10->18         started       
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-07-13 11:51:49 UTC
File Type:
PE+ (Dll)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Unpacked files
SH256 hash:
e13d3152d522fe7ea494ea8d85ff5391ba73c76f520e38f1993c106d1de72054
MD5 hash:
09aff59946b5dd035ebf238821c4cd64
SHA1 hash:
b0e3aa78fd2d4c568bed425220089095937c0a61
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments