MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4
SHA3-384 hash:	0dd881d5675149e5fd20c28aa0dc53a46dfea57a6cb089a358d84d443e93ddd359db172e723fbf5bb0af99646cf55549
SHA1 hash:	4a2b5981340b458b94933e5d3bb4d61f1bfc62f5
MD5 hash:	9bebd443673bdd3ff71c1a18646a1662
humanhash:	mexico-don-seventeen-four
File name:	main1.exe
Download:	download sample
File size:	17'566'487 bytes
First seen:	2025-12-18 09:00:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	456e8615ad4320c9f54e50319a19df9c (18 x SVCStealer, 11 x BlankGrabber, 5 x CoinMiner)
ssdeep	393216:Xl82DmdYT1+TtIiFmY9Z8D8CclFhCW8SAxGtCQMnSOX5+XpZ:1PeYT1QtIXa8DZcYW8SAYtaFp+
TLSH	T1AB07335A665308DCF9EA1536E6F1C012AEF2688E47B1D39F17B825200E773F19D39B21
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Joker
Tags:	exe trojan

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PyInstaller

Details

PyInstaller

a compiled assembly and a Python version

Link:

https://research.acce.ciphertechsolutions.com/results/00922ad2-b923-43cd-9e15-ad1de7bba8e2/

Malware family:

n/a

ID:

File name:

main1.exe

Verdict:

Suspicious activity

Analysis date:

2025-12-18 09:02:39 UTC

Tags:

pyinstaller python

Link:

https://app.any.run/tasks/3ef92012-ee1b-487e-abaa-719e3ebc67ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45392/

Detection(s):

SecuriteInfo.com.Python.Muldrop.16.25653.2991.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6943c2e6c97f4a807a3b9d8a

Tags:

installer extens virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Using the Windows Management Instrumentation requests

Delayed reading of the file

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug expand expired-cert installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller

Link:

https://www.filescan.io/uploads/6943c2e35ceddcfa3ff5e59a/reports/d1d714c3-ab53-430e-a502-138e1ba5ceee/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4

Verdict:

Malicious

File Type:

exe x64

First seen:

2024-10-08T09:42:00Z UTC

Last seen:

2024-10-08T10:41:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Python.Agent.gen Trojan.PowerShell.Persik.sbs

Link:

https://opentip.kaspersky.com/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e768012c-5e17-4444-ac10-f20ab53629c2

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9bebd443673bdd3ff71c1a18646a1662

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4/

Verdict:

Malicious

Threat:

Trojan.Python.Agent

Link:

https://tip.neiki.dev/file/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4

Threat name:

Win64.Trojan.Abadtrojan

Status:

Malicious

First seen:

2024-10-08 13:17:00 UTC

File Type:

PE+ (Exe)

Extracted files:

2527

AV detection:

13 of 36 (36.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=56bpesldbxoozv5heun4fg3uk4qu4wo2wz4vdmoylv6dskyaipsa._file

Result

Malware family:

n/a

Score:

10/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/251223-pyay2sypgs/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Malware Config

Dropper Extraction:

https://cloud.bluebird.in.ua/index.php/s/iz4ixP6Anpb2woS/download/rsload.net

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ec9df66f-126a-422b-8cf6-a8751a77f41f

Unpacked files

SH256 hash:

ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4

MD5 hash:

9bebd443673bdd3ff71c1a18646a1662

SHA1 hash:

4a2b5981340b458b94933e5d3bb4d61f1bfc62f5

Link:

https://www.unpac.me/results/ec100858-209b-4f5d-851d-0bb8fcbe2541/

SH256 hash:

05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

MD5 hash:

e547cf6d296a88f5b1c352c116df7c0c

SHA1 hash:

cafa14e0367f7c13ad140fd556f10f320a039783

Link:

https://www.unpac.me/results/ec100858-209b-4f5d-851d-0bb8fcbe2541/

SH256 hash:

837efb838cb91428c8c0dfb65d5af1e69823ff1594780eb8c8e9d78f7c4b2fc1

MD5 hash:

297e845dd893e549146ae6826101e64f

SHA1 hash:

6c52876ea6efb2bc8d630761752df8c0a79542f1

Link:

https://www.unpac.me/results/ec100858-209b-4f5d-851d-0bb8fcbe2541/

SH256 hash:

c6ffe2238134478d8cb1c695d57e794516f3790e211ff519f551e335230de7de

MD5 hash:

9fb68a0252e2b6cd99fd0cb6708c1606

SHA1 hash:

60ab372e8473fad0f03801b6719bf5cccfc2592e

Link:

https://www.unpac.me/results/ec100858-209b-4f5d-851d-0bb8fcbe2541/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef82f249630ddcecd7a7251bc29b7457214e59dab67951b1d85d7c392b0043e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45392/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample