MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b
SHA3-384 hash: e32cafddf1d365101fc295ced929a634f5648b310b0b51e9a6c3d597fa90495b4e412c2d94e36c6c7d32a8ce94ce85c4
SHA1 hash: ba6d7b8aa6f6d0847f65fcd5e512e785731c9c08
MD5 hash: 4d963241296a0b5ae8d59aac9b02cc00
humanhash: louisiana-connecticut-saturn-enemy
File name:erto3e4rortoergn.exe
Download: download sample
File size:39'984'640 bytes
First seen:2026-02-27 07:59:06 UTC
Last seen:2026-02-27 08:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 935f401fbefe56e6277c13307758a82c
ssdeep 786432:eC1vTUSriZ9EXzunaMVXoLymeo5YA9pFgixoiCJky4snkrXF:nBUSmZ9EAaMuLymeo5TxoiQAGkDF
TLSH T1419723D755E9B2F4C0C34A08A18E518E65C094FEC9FE5A5C1DCB8C031A55EAF4A8DBB3
TrID 44.6% (.EXE) Win64 Executable (generic) (6522/11/2)
14.0% (.ICL) Windows Icons Library (generic) (2059/9)
13.8% (.EXE) OS/2 Executable (generic) (2029/13)
13.7% (.EXE) Generic Win/DOS Executable (2002/3)
13.6% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
erto3e4rortoergn.exe
Verdict:
No threats detected
Analysis date:
2026-02-27 07:59:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db8d28d7-1155-4b22-8c2a-5567dcbcb733

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a14ec6c950ab5d9ab2075a
Tags:
malware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug obfuscated packed packed unsafe vmprotect
Link:
https://www.filescan.io/uploads/69a14edd10e80629d4f4f812/reports/86e73973-e3c2-4d8a-9ba1-ce938cc801b1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1875795
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b
Threat name:
Win64.Packed.VMProtect
Create hunting rule
Status:
Suspicious
First seen:
2026-02-27 07:59:04 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 38 (36.84%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gc66iuefk3pesqqidn7bn4zayy4ko5co7zqcvulaw4aogv27lbnq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/260227-jvlngsg18c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/30bde4508556de4942081b7e16f320c638a7744efe602ad160b700e3575f585b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments