MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Growtopia


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef
SHA3-384 hash: 54f32976d7eba40f3676438d7b80467b26ee1e46ad4acf982836ea8839c7c5d16234650b6290f6726fbbc2c61964aeaf
SHA1 hash: b248f8a67e52e327d5731127932b93e6f2df8648
MD5 hash: 6b021c13fe430013b512f320a2fa2e92
humanhash: florida-iowa-charlie-bluebird
File name:YazlmPeindeMerakEdilenOKurulumGeldi.exe
Download: download sample
Signature Growtopia
Create hunting rule
File size:43'131'687 bytes
First seen:2026-02-27 17:16:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (47 x BlankGrabber, 23 x Efimer, 21 x NetSupport)
ssdeep 786432:b25vzPOmQuKz6FIFlUR1OOMW8IFQQ20pb0eLLsKMMo5ovsVuR8n4Od9gURHFijT/:S9z16z6FIEWvWGQ1pbUoeO8nTHk/
TLSH T103973395334408A3E68A5776A2A3EB6669D3B93157D0C1CF5FFC21451C932E8BE3AF40
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe geo growtopia TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/b5c6d0a1-2880-48f9-ad5c-d59d6e489c5a/
Malware family:
n/a
ID:
1
File name:
YazlmPeindeMerakEdilenOKurulumGeldi.exe
Verdict:
Malicious activity
Analysis date:
2026-02-25 21:22:57 UTC
Tags:
pyinstaller auto-reg python stealer discord generic ims-api uac
Link:
https://app.any.run/tasks/3caab547-4194-42be-b77e-c6918f6d5906

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699f68148fffa866e3b221ac
Tags:
autorun extens shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/69a1d1a1cd25bfe1dfdc11f6/reports/df05def5-500e-4cef-86de-382b42596236/overview
Verdict:
Malicious
Labled as:
Giant.Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.BroPass.sb Trojan-GameThief.MSIL.Worgtop.c Trojan.Win32.Agent.sba Trojan.Win32.Agent.sb Trojan.Python.Locker.sba Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sba Trojan-GameThief.Win32.Worgtop.f Trojan.Win64.Agent.sb Trojan.Win32.Agent.xccueb PDM:Trojan.Win32.Generic NetTool.PythonUserAgent.HTTP.Download
Link:
https://opentip.kaspersky.com/fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef/results?tab=lookup
Result
Threat name:
Growtopia
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876130
Signature
Contains functionality to infect the boot sector
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Growtopia
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876130 Sample: YazlmPeindeMerakEdilenOKuru... Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 105 discord.com 2->105 107 api.ipify.org 2->107 113 Multi AV Scanner detection for submitted file 2->113 115 Yara detected Growtopia 2->115 117 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->117 119 3 other signatures 2->119 10 YazlmPeindeMerakEdilenOKurulumGeldi.exe 2->10         started        13 YazlmPeindeMerakEdilenOKurulumGeldi.exe 2->13         started        15 YazlmPeindeMerakEdilenOKurulumGeldi.exe 1001 2->15         started        18 YazlmPeindeMerakEdilenOKurulumGeldi.exe 2->18         started        signatures3 process4 file5 97 330 other files (none is malicious) 10->97 dropped 20 YazlmPeindeMerakEdilenOKurulumGeldi.exe 10->20         started        99 319 other files (none is malicious) 13->99 dropped 23 YazlmPeindeMerakEdilenOKurulumGeldi.exe 13->23         started        87 C:\Users\user\AppData\Local\...\_rust.pyd, PE32+ 15->87 dropped 89 C:\Users\user\...\md.cp310-win_amd64.pyd, PE32+ 15->89 dropped 91 C:\Users\user\AppData\Local\...\_tkinter.pyd, PE32+ 15->91 dropped 101 441 other files (none is malicious) 15->101 dropped 137 Contains functionality to infect the boot sector 15->137 139 Uses WMIC command to query system information (often done to detect virtual machines) 15->139 25 YazlmPeindeMerakEdilenOKurulumGeldi.exe 1 22 15->25         started        93 C:\Users\user\AppData\Local\...\_raw_cfb.pyd, PE32+ 18->93 dropped 95 C:\...\_bounded_integers.cp310-win_amd64.pyd, PE32+ 18->95 dropped 103 432 other files (none is malicious) 18->103 dropped signatures6 process7 dnsIp8 121 UAC bypass detected (Fodhelper) 20->121 28 cmd.exe 20->28         started        43 2 other processes 20->43 30 cmd.exe 23->30         started        32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        109 api.ipify.org 104.26.13.205, 443, 49722, 49730 CLOUDFLARENETUS United States 25->109 111 discord.com 162.159.135.232, 443, 49723, 49724 CLOUDFLARENETUS United States 25->111 123 Tries to harvest and steal browser information (history, passwords, etc) 25->123 125 Tries to steal Crypto Currency Wallets 25->125 127 Uses WMIC command to query system information (often done to detect virtual machines) 25->127 36 cmd.exe 25->36         started        39 cmd.exe 25->39         started        41 cmd.exe 25->41         started        45 3 other processes 25->45 signatures9 process10 signatures11 51 4 other processes 28->51 53 4 other processes 30->53 55 2 other processes 32->55 47 conhost.exe 34->47         started        129 Uses schtasks.exe or at.exe to add and modify task schedules 36->129 131 Potential Privilege Escalation using Task Scheduler highest RunLevel 36->131 133 Uses WMIC command to query system information (often done to detect virtual machines) 36->133 49 conhost.exe 36->49         started        57 2 other processes 39->57 60 2 other processes 41->60 62 3 other processes 43->62 64 5 other processes 45->64 process12 signatures13 66 YazlmPeindeMerakEdilenOKurulumGeldi.exe 51->66         started        69 YazlmPeindeMerakEdilenOKurulumGeldi.exe 53->69         started        135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->135 process14 file15 71 C:\Users\user\AppData\Local\Temp\...\_ssl.pyd, PE32+ 66->71 dropped 73 C:\Users\user\AppData\Local\...\_sqlite3.pyd, PE32+ 66->73 dropped 75 C:\Users\user\AppData\Local\...\_socket.pyd, PE32+ 66->75 dropped 83 498 other files (none is malicious) 66->83 dropped 77 C:\Users\user\...\_block.cp310-win_amd64.pyd, PE32+ 69->77 dropped 79 C:\Users\user\AppData\Local\...\libffi-7.dll, PE32+ 69->79 dropped 81 C:\Users\user\AppData\Local\...\features.py, Python 69->81 dropped 85 396 other files (none is malicious) 69->85 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Worgtop
Link:
https://tip.neiki.dev/file/fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef
Threat name:
Win64.Trojan.Giant
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 21:22:40 UTC
File Type:
PE+ (Exe)
Extracted files:
4743
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ud2geo6were7x7l5qvpxnai2nj23y4qbbns7veg7r43xhhhgxxq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access execution persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/260227-vtv2baay7g/
Behaviour
Detects videocard installed
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd07a311deb1224fdfebec2afbb408d353ade390085b2fd486fc79bb9ce735ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments