MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6
SHA3-384 hash:	36c62b9e10243daf0d07cd6b16b747dd1a9a8ecd0284a7f1da1be5dc871cb103b2aae7916d906f8553475038bfeeda9b
SHA1 hash:	767d274aaf67aac1b01764ba95afdfdcfc0285da
MD5 hash:	328eaac2117ff62d34fec8175cc72900
humanhash:	single-ohio-august-ten
File name:	MicrosoftUpdate.exe
Download:	download sample
File size:	32'840'946 bytes
First seen:	2025-12-05 07:34:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dcaf48c1f10b0efa0a4472200f3850ed (39 x BlankGrabber, 16 x SalatStealer, 15 x PythonStealer)
ssdeep	786432:IujmF/XktzMFlUR1OiAhnCdsqVtcQT1RYyyvV/M8+N5B1/P8Dpw4j:IXZkZMEWHVCdsacaDH8+N5BZ2pw4
TLSH	T17877334CB1E058CEFEBB913F8455C8068F69B1D39BE2C89E079899321C57AEC1D35B94
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	smica83
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PyInstaller

Details

PyInstaller

a compiled assembly and a Python version

Link:

https://research.acce.ciphertechsolutions.com/results/0f35bd88-bd87-4d04-9154-813917409e38/

Malware family:

n/a

ID:

File name:

MicrosoftUpdate.exe

Verdict:

Malicious activity

Analysis date:

2025-12-05 07:35:58 UTC

Tags:

python pyinstaller

Link:

https://app.any.run/tasks/b194c08b-388b-4ee4-8e86-bd9830771ed7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69328b7b221589dfd96c57b8

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller

Link:

https://www.filescan.io/uploads/69328b3bd12d1c79d4299742/reports/be7fee1d-5ffe-4fa4-bca0-04373d995c99/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-21T09:06:00Z UTC

Last seen:

2025-12-05T08:24:00Z UTC

Hits:

~100

Detections:

Trojan.Agent.UDP.C&C Trojan.Win32.Agent.xcayte

Link:

https://opentip.kaspersky.com/fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1827048

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6

Gathering data

Verdict:

Malicious

Threat:

Trojan.Win32.UDP

Link:

https://tip.neiki.dev/file/fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-21 13:50:55 UTC

File Type:

PE+ (Exe)

Extracted files:

2095

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7xrydh7jagj32zht4ysxvgt6na5kgwkalzapkzsy5jlmvzdo3cta._file

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/251205-jejtysek6x/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6da55617-3900-49e3-b81d-4e651d7bf94b

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fde3819fe90193bd64f3e6257a9a7e683aa359405e40f56658ea56cae46ed8a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample