MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2
SHA3-384 hash:	e9212620e9e07894126e442dc96d30bfd6e7f52d5b7c31780e0345a956f4a52b38f2690db51bff55f15ead0380b5904e
SHA1 hash:	f1f7af39cf0e1dafe7a178e51c6451f4a3a9286a
MD5 hash:	03196a06573754e4f08622a28b38584d
humanhash:	johnny-diet-lake-juliet
File name:	Kiddions Menu.exe
Download:	download sample
File size:	12'156'254 bytes
First seen:	2025-10-14 15:56:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dcaf48c1f10b0efa0a4472200f3850ed (52 x BlankGrabber, 26 x Efimer, 22 x NetSupport)
ssdeep	196608:XuoCn9AWhXXGurHm7ND9BKG+5fc2S/ErXKEtw+SJo7c+vfPB4sV6RMsqvvLwyrEf:XuPhXXGuCRDvV+53SM8+jfPBESDEWE11
Threatray	419 similar samples on MalwareBazaar
TLSH	T1D4C633986E31C5FBFBB6A13DD511DD2C966CAFA27249C29305A831F518375E8803DEE0
TrID	66.6% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	97ed6d31b96d6d9f
Reporter	Vip5676
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Kiddions Menu.zip

Verdict:

Malicious activity

Analysis date:

2025-09-13 21:23:47 UTC

Tags:

arch-exec python pyinstaller

Link:

https://app.any.run/tasks/ed6fd91a-6836-4f3b-99bc-4cf84e40fcef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32760/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee72c397a16d00a8d9e8e7

Tags:

installer vmdetect extens virus

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file

Searching for the window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin microsoft_visual_cc obfuscated overlay packed packer_detected threat

Link:

https://www.filescan.io/uploads/68ee73004f3013c55e4d92a2/reports/1dbcb217-1362-4db7-9d7f-8ddfd2f2cd5d/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

Verdict:

Unknown

File Type:

exe x64

First seen:

2025-09-11T16:45:00Z UTC

Last seen:

2025-10-12T14:00:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/45f61401-a725-4fa2-a386-e774e2d9143f

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/03196a06573754e4f08622a28b38584d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=56v22csaffllogwqq3zffhfq6pufmndsuums4h4pcd4cedwwioza._file

Verdict:

malicious

Label(s):

lamehug

58451b250f085d8663cb5fbf9a9a57cdbef165959d70a0c0d68560b0cee4c1a5

98fd44fb5a8d3aa82fa579e10307982e8196f3e4c15414d79eccb77af3dc9b34

b29a838fea0ae473e9fb76f95a8b3d5f9d6a45489fc58cb805c26fca4dfb1d35

da9a5d5c584dd7c097e8b8992e1515e5d62965ef2f3399ccd1b72b64590d57c8

efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

error

+ 409 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery pyinstaller trojan

Link:

https://tria.ge/reports/251014-terjxahv9f/

Behaviour

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Checks whether UAC is enabled

Network Share Discovery

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/322b10d8-1ade-4084-bb1d-25f025352d4f

Unpacked files

SH256 hash:

efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

MD5 hash:

03196a06573754e4f08622a28b38584d

SHA1 hash:

f1f7af39cf0e1dafe7a178e51c6451f4a3a9286a

Link:

https://www.unpac.me/results/6ca3b482-944e-4cb2-8ec1-2acd9e742b86/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/efabad0a402956b71ad086f2529cb0f3e8563472a5192e1f8f10f8220ed643b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample