MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
SHA3-384 hash: 6cd800457e98f0761457c416eeb726592ad7defc554cbaa94f366043b1212e2b9fe612a17bb79f1fed46d3fb66e6bac7
SHA1 hash: fac600a30371994ecbdc2e36b3b2dfe3a19c467d
MD5 hash: 9c262d3507270c81780687247442c89a
humanhash: equal-utah-equal-pip
File name:Atasurefinery Aggrement Atasurefinery Aggrement Atasurefinery Aggrement Atasurefinery Aggrement Atasurefinery Aggrement Atasurefinery Aggrement Atasurefinery Aggrement.pdf.exe
Download: download sample
Signature Chaos
Create hunting rule
File size:622'689 bytes
First seen:2025-09-30 15:28:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c75a83e117d2bdfb2814c53e840c172 (3 x SalatStealer, 2 x Chaos, 1 x XWorm)
ssdeep 6144:sj1zho1x2kD02IXYwa6fWnUh7bxa57SzYCO8gG4iR+v/74D8+xnoL+lDAAik2/hn:khoVY2+LfWvRSECKG4iRkTqoSdAAik2V
Threatray 314 similar samples on MalwareBazaar
TLSH T16BD44CE4E79440F8D0A3957988378653E633780E4F649A4F17E1BE5B3E33391892AB53
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Anonymous
Tags:Chaos exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
US US
Vendor Threat Intelligence
Malware family:
ryuk
Create hunting rule
ID:
1
File name:
b49ca4c2-bf13-4710-ba5a-2b455a6310ee
Verdict:
Malicious activity
Analysis date:
2025-09-30 15:31:55 UTC
Tags:
crypto-regex chaos ryuk ransomware auto-startup
Link:
https://app.any.run/tasks/b49ca4c2-bf13-4710-ba5a-2b455a6310ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29597/
Detection(s):
SecuriteInfo.com.W64.Kryptik.GWG.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dbf72440b7da0b4eb8d950
Tags:
underscore ransomware dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Launching a process
Creating a file
Creating a file in the %AppData% directory
Changing a file
Reading critical registry keys
Modifies multiple files
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Running batch commands
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Stealing user critical data
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint installer masquerade microsoft_visual_cc obfuscated overlay packed packer_detected ransomware sfx
Link:
https://www.filescan.io/uploads/68dbf739674d5fd6aa1150a4/reports/d18c6d2b-0761-4e82-85e1-4385205f70af/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
Verdict:
Unknown
File Type:
exe x64
Link:
https://opentip.kaspersky.com/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ded406d8-7b2d-4328-a71f-b441f95a5f2a
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6/
Verdict:
Malicious
Threat:
Family.CHAOS
Link:
https://tip.neiki.dev/file/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-09-27 18:16:59 UTC
File Type:
PE+ (Exe)
Extracted files:
27
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2cpikdz4zsj3rm7jiprbz36n65lffyc6fzd2y5gc7fnlc3ujc3a._file
Verdict:
malicious
Label(s):
unc_loader_063
Create hunting rule
chaos
Create hunting rule
genericransomware
Create hunting rule
Similar samples:
19363e726568f4852d57a7c9695268f9e3610221e55002766609cf217c629c09
Chaos
26f9d0439f902a40aeff9e48630fb12a004858c06b0b9f4cacf157951617de51
Chaos
2d55dd55ed7bc12e9eeb1ef36035e05c8bc41c45b01af0fbc57a366d27834e2b
Chaos
2ed5fceeb801a4c83914ceff3ac46166490682b81bf481db4687cd1d6b0a16c2
Chaos
63c4b6af6ba82506643626a6bc93c235e17d311d45c6affd73d56c327015bd4b
Chaos
7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
Chaos
edeb8e2f37243ae8620ab353026940c6b4fe5d2078b506298ed7aff227c17c18
Chaos
error
Chaos
+ 304 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos adware defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
Link:
https://tria.ge/reports/250930-swvr8asly5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Chaos family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3b92f2d-7cd6-4087-aa7a-e2b8cd99ed60
Unpacked files
SH256 hash:
7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6
MD5 hash:
9c262d3507270c81780687247442c89a
SHA1 hash:
fac600a30371994ecbdc2e36b3b2dfe3a19c467d
Link:
https://www.unpac.me/results/93ae4e11-cf6b-4dff-bf63-f920bbf46793/
SH256 hash:
1455ebe290d61b3930f6ed97039c1236ae1b68dd4eb615b95c3347a02704a16e
MD5 hash:
2b4331179da94de7e3bd0f1a96036573
SHA1 hash:
b9009ad14b8dcc715bf76aeeb051ee65c51c745e
Link:
https://www.unpac.me/results/93ae4e11-cf6b-4dff-bf63-f920bbf46793/
Malware family:
Chaos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e84f42879e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:MAL_RANSOM_COVID19_Apr20_1_RID2ECC
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29597/

Comments