MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Havoc

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d
SHA3-384 hash:	4625198318ed37c0d882ad15d57cc8c2a9cda8a8418d331bc19a4a77a739eb30f51a3da1b1092224971a6910b5bb66b0
SHA1 hash:	5f76df0d70f69ea223615101f0a3d82575aeb397
MD5 hash:	1fd95cc2e40e74514d7a1dc188b66268
humanhash:	seventeen-social-georgia-hotel
File name:	toogood.exe
Download:	download sample
Signature	Havoc Create hunting rule
File size:	118'784 bytes
First seen:	2026-03-21 19:24:49 UTC
Last seen:	2026-03-22 20:23:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c1f4358211a66fe3d457f3e6f5983347 (4 x Havoc)
ssdeep	3072:9VJxf+BG0fuj2RR26G5NgLnNSWwXEetYj0y:9FRQS2qIM5XdtYwy
TLSH	T192C3020552B2A5BEC167643297D95BB1F334EA018B254EBE07E1D1716F80E207F6F82A
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	burger
Tags:	exe Havoc

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

toogood.exe

Verdict:

No threats detected

Analysis date:

2026-03-21 19:27:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c69eb867-2f76-401e-b63b-c6bdfc7712ee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bef0b8390b996474128944

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Gathering data

Verdict:

Malicious

Labled as:

Win64/Injector_AGeneric.GR trojan

Link:

https://www.hybrid-analysis.com/sample/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d

Verdict:

Malicious

File Type:

exe x64

Detections:

PDM:Trojan.Win32.Generic Backdoor.Win64.Havoc.hwr Backdoor.C2.HTTP.ServerRequest HEUR:Backdoor.Win64.C2.h Backdoor.Win64.Shellcode.sbb Exploit.CVE-2024-41570.HTTP.C&C

Link:

https://opentip.kaspersky.com/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d/results?tab=lookup

Malware family:

Havoc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/812fc861-8414-401e-8ed5-7ac83cf3864b

Result

Threat name:

Havoc

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1887228

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for submitted file

Unusual module load detection (module proxying)

Yara detected Havoc

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d/

Verdict:

Malicious

Threat:

Family.HAVOC

Link:

https://tip.neiki.dev/file/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-21 19:26:05 UTC

File Type:

PE+ (Exe)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v2pjgjpy5dcjcnlpjbk3irfo2wky722amcmc2n5annxiqrfl2bgq._file

Verdict:

malicious

Label(s):

havoc

Similar samples:

error

Havoc

Result

Malware family:

havoc

Score:

10/10

Tags:

family:havoc backdoor

Link:

https://tria.ge/reports/260321-x46lxacx9j/

Behaviour

Detects Havoc payload

Havoc family

Havoc, HavocC2

Unpacked files

SH256 hash:

ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d

MD5 hash:

1fd95cc2e40e74514d7a1dc188b66268

SHA1 hash:

5f76df0d70f69ea223615101f0a3d82575aeb397

Link:

https://www.unpac.me/results/56ba9ec6-f35c-4d38-bdda-090b85046761/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/ae9e9325f8e8c491356f4855b444aed5958feb4060982d37a06b6e8844abd04d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.