MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Efimer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3
SHA3-384 hash: 0ada15727e26e621c2f30963aed51a22f7537eb081764793be99b1513f1cab06c7c069643835c5dd1b26b2cf97c15db1
SHA1 hash: edd910f8b6c7a9a46060d25608c6e90ffeb9cc9b
MD5 hash: 2ad853e7d7cbd737a426d53f3bddb6ea
humanhash: magnesium-single-robin-undress
File name:zinfoz.dat
Download: download sample
Signature Efimer
Create hunting rule
File size:12'761'088 bytes
First seen:2026-02-03 15:11:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (43 x BlankGrabber, 22 x Efimer, 18 x PythonStealer)
ssdeep 196608:JEQFOD8f1kja9+dTm0Cin+7v0YlXMCHGLLc54i1wN+HfPIcu9KYK39sI3PPkuMRB:qDIKG4Tm0C+ajXMCHWUjwcuI3/PkuUS
TLSH T14BD6334C6AE041FED9B3907CA9D26B81E47474770372CADB47E4C662AF571D08D3AA23
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:ClickFix Efimer exe


Avatar
iamaachum
https://activatesoftinc.icu/zinfoz.dat

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/f1ab27ea-d54c-4a17-90ad-56796bfde576/
Malware family:
n/a
ID:
1
File name:
zinfoz.dat
Verdict:
Malicious activity
Analysis date:
2026-02-03 15:15:11 UTC
Tags:
python evasion anti-evasion pyinstaller efimer stealer crypto-regex
Link:
https://app.any.run/tasks/cb27262e-ab37-4d6a-b630-da1c62fb1209

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51504/
Detection(s):
SecuriteInfo.com.Variant.Application.Tedy.3948.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6982105287f81e55ffeefe3c
Tags:
installer shell sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin masquerade microsoft_visual_cc overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/6982103b2ffccda09766fc6c/reports/7452c055-8871-420b-af6e-4ec52ab0beb6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan.Python.Agent.gen
Link:
https://opentip.kaspersky.com/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b6b3b942-90de-4c6e-8390-8006b0ad125a
Result
Threat name:
Efimer Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862523
Signature
Adds a directory exclusion to Windows Defender
Found pyInstaller with non standard icon
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Efimer Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862523 Sample: zinfoz.dat.exe Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 80 ipinfo.io 2->80 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected Efimer Clipper 2->92 94 Sigma detected: WScript or CScript Dropper 2->94 96 6 other signatures 2->96 9 zinfoz.dat.exe 30 2->9         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 70 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->70 dropped 72 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->72 dropped 74 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->74 dropped 76 15 other files (none is malicious) 9->76 dropped 100 Uses schtasks.exe or at.exe to add and modify task schedules 9->100 102 Adds a directory exclusion to Windows Defender 9->102 104 Found pyInstaller with non standard icon 9->104 20 zinfoz.dat.exe 10 9->20         started        106 Found Tor onion address 13->106 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->108 110 Suspicious execution chain found 13->110 24 ugate.exe 15->24         started        27 curl.exe 15->27         started        78 127.0.0.1 unknown unknown 17->78 file6 signatures7 process8 dnsIp9 62 C:\Users\Public\Documents\ivipu\ugate.exe, PE32+ 20->62 dropped 64 C:\Users\Public\Documents\ivipu\ubeqa.xml, XML 20->64 dropped 66 C:\Users\Public\Documents\ivipu\ubeqa.js, ASCII 20->66 dropped 68 C:\Users\Public\Documents\ivipu\ivawu.js, ASCII 20->68 dropped 98 Adds a directory exclusion to Windows Defender 20->98 29 cmd.exe 1 20->29         started        32 cmd.exe 1 20->32         started        34 cmd.exe 1 20->34         started        40 6 other processes 20->40 82 185.129.61.129, 443, 49711 ZENCURITY-NETDK Denmark 24->82 84 82.64.20.171, 49712, 59001 PROXADFR France 24->84 86 3 other IPs or domains 24->86 36 conhost.exe 24->36         started        38 conhost.exe 27->38         started        file10 signatures11 process12 dnsIp13 114 Adds a directory exclusion to Windows Defender 29->114 43 powershell.exe 23 29->43         started        46 conhost.exe 29->46         started        48 powershell.exe 21 32->48         started        50 conhost.exe 32->50         started        52 powershell.exe 21 34->52         started        54 conhost.exe 34->54         started        88 ipinfo.io 34.117.59.81, 443, 49705 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->88 56 powershell.exe 40->56         started        58 powershell.exe 40->58         started        60 7 other processes 40->60 signatures14 process15 signatures16 112 Loading BitLocker PowerShell Module 43->112
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3/
Verdict:
Malicious
Threat:
Family.EFIMER
Link:
https://tip.neiki.dev/file/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 15:15:13 UTC
File Type:
PE+ (Exe)
Extracted files:
488
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6r2esmuiv7w3cpz5dqthjauysc4ngevfomc6b4lgzg4zuvybz7zq._file
Result
Malware family:
efimer
Create hunting rule
Score:
  10/10
Tags:
family:efimer execution persistence pyinstaller trojan
Link:
https://tria.ge/reports/260203-sk3zfsfz4a/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Efimer
Efimer family
Unpacked files
SH256 hash:
f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3
MD5 hash:
2ad853e7d7cbd737a426d53f3bddb6ea
SHA1 hash:
edd910f8b6c7a9a46060d25608c6e90ffeb9cc9b
Link:
https://www.unpac.me/results/fce707ca-b9c9-4eeb-852a-76ac417ba1af/
SH256 hash:
1dbec60aa70d6a7acf72900ecf63264e23d1b5ac30551ef0de4dba8c51d46a03
MD5 hash:
b170840716017eee3620175b8886701a
SHA1 hash:
12e64cd3820bfbbfec40a1e39e013b4d9df4f9d7
Detections:
SUSP_OBF_PyArmor_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fce707ca-b9c9-4eeb-852a-76ac417ba1af/
SH256 hash:
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
MD5 hash:
862f820c3251e4ca6fc0ac00e4092239
SHA1 hash:
ef96d84b253041b090c243594f90938e9a487a9a
Link:
https://www.unpac.me/results/fce707ca-b9c9-4eeb-852a-76ac417ba1af/
SH256 hash:
a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4
MD5 hash:
16855ebef31c5b1ebe767f1c617645b3
SHA1 hash:
315521f3a748abfa35cd4d48e8dd09d0556d989b
Link:
https://www.unpac.me/results/fce707ca-b9c9-4eeb-852a-76ac417ba1af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Efimer

Executable exe f474493288afedb13f3d1c2674829890b8d312a57305e0f166c9b99a5701cff3

(this sample)

  
Link
https://tria.ge/260203-rx1jesey6c/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51504/

Comments