MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GlassWorm

Vendor detections: 6

Intelligence 6 IOCs YARA 8 File information Comments

SHA256 hash:	ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6
SHA3-384 hash:	c434fe8018e5ea2fe10b3aeba79daf1ef6e879616a6774653691af2de984e969d117012bde49d0c9587244ced2417f8f
SHA1 hash:	db8506a00b3e4348a8bfd903e092f6c95fb25843
MD5 hash:	77ec37533e1ad82ff42e58a9507477d8
humanhash:	ohio-friend-texas-snake
File name:	wave3_m_decrypted_macho
Download:	download sample
Signature	GlassWorm Create hunting rule
File size:	2'859'712 bytes
First seen:	2026-03-16 13:14:48 UTC
Last seen:	Never
File type:	macho
MIME type:	application/x-mach-binary
ssdeep	49152:/j8uyhmYcXoQwryCb6TwfdnGdLdfdiXHO4pPJdksedVdRd9lNduJpz:LDXobb7lGdLdfdAO4pksedVdRd7NduJp
TLSH	T1A6D5D016BA5C692DD2CBE0780FCE47A12276FC301520E6AB21A1F739DD72DE1961D723
TrID	82.2% (.DYLIB) Mac OS X Mach-O universal Dynamically linked shared Library (32500/1/5) 17.7% (.O/DYLIB/BUNDLE) Mac OS X Universal Binary (generic) (7002/2)
Magika	macho
Reporter	tipo_deincognito
Tags:	chrome-extension glassworm Mach-O machO macOS sideloader

tipo_deincognito

GlassWorm Wave 3 npm archive: decrypted m — macOS universal binary (x86_64+arm64). Chrome extension sideloader. Embeds malicious extension ZIP (RedExt RAT disguised as Google Docs Offline). Manipulates Chrome Preferences and Secure Preferences to bypass extension integrity checks.

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b8027688c80c01586ac38a

Tags:

infosteal

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6

Verdict:

Clean

File Type:

macho fat

Link:

https://opentip.kaspersky.com/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6/results?tab=lookup

Score:

51%

Verdict:

Susipicious

File Type:

Mach-O universal binary

Link:

https://malprob.io/report/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6

Threat name:

Binary.Trojan.Generic

Status:

Suspicious

First seen:

2026-03-16 13:15:34 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

4 of 36 (11.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5y7e3vob4bz3rac7ied4zr54pzxdyie74e7kat7t6iltzdn6osta._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	XCSSET_Strings Create hunting rule
Author:	@is_henderson
Description:	Rule based on deob strings - easymode

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GlassWorm

macho ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample