MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496
SHA3-384 hash: d29ca83ad746da7cae7ce64fc3a6a1b183ee08f4c3657902ae5a5a56b6a865b74da8a47e22772e049c2b7f3450beb1ed
SHA1 hash: 26138b4ab595a8a21f4034c1212d9dbe41ebe7b1
MD5 hash: 65ea352a3e1c058b9d35b4df8c3f5ae5
humanhash: jupiter-north-maine-white
File name:upbot.exe
Download: download sample
File size:6'977'104 bytes
First seen:2026-02-23 10:53:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (47 x BlankGrabber, 23 x Efimer, 19 x PythonStealer)
ssdeep 196608:c0aFrDCsXDjDyfmdJolpPgToa10/UFOnJw/VjnV5:cLFrDCEDLJ83a10MssVjn
TLSH T1C466339495D015A6EC27A13EDA32C425DAB238B75761CBCF06A443A77F276E4483EF03
TrID 70.9% (.EXE) InstallShield setup (43053/19/16)
10.7% (.EXE) Win64 Executable (generic) (6522/11/2)
8.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.3% (.EXE) OS/2 Executable (generic) (2029/13)
3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/fac43787-d414-41ad-be87-b2a812dfbeb0/
Malware family:
n/a
ID:
1
File name:
upbot.exe
Verdict:
Malicious activity
Analysis date:
2026-02-22 10:56:49 UTC
Tags:
python auto-startup pyinstaller pastebin
Link:
https://app.any.run/tasks/ec5a5dd2-9620-4729-9159-348f878d4c60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54201/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699ae0eb8fffa866e3b070de
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay packed pyinstaller
Link:
https://www.filescan.io/uploads/699c31dad967dbda74ee9975/reports/c8f0b88e-6e51-4042-a721-b88559c03d68/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496
Verdict:
Malicious
File Type:
exe x64
Detections:
PDM:Trojan.Win32.Generic Trojan.Win64.Agent.smfoau Trojan.Win64.Agent.sb
Link:
https://opentip.kaspersky.com/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/35aa5db7-281c-487c-9f0d-16bb205ca282
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1873366
Signature
Antivirus detection for URL or domain
Found pyInstaller with non standard icon
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/65ea352a3e1c058b9d35b4df8c3f5ae5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-22 10:55:36 UTC
File Type:
PE+ (Exe)
Extracted files:
788
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7toukn7mqovpq6qf63ugg6lirxbp64gtpccvvoclmtkqzdrogsla._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/260223-mzmccsev9d/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496
MD5 hash:
65ea352a3e1c058b9d35b4df8c3f5ae5
SHA1 hash:
26138b4ab595a8a21f4034c1212d9dbe41ebe7b1
Link:
https://www.unpac.me/results/4e9e5730-5b48-4c57-8da9-1859f7eba480/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fcdd4537ec83aaf87a05f6e86379688dc2ff70d378855ab84b64d50c8e2e3496

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3782870/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3782877/
Cape
Cape
https://www.capesandbox.com/analysis/54201/

Comments