MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 15


Intelligence 15 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd
SHA3-384 hash: 79b2fedb69f873fd2d4735db466c89f3d0eddb706e9080fed3b1573a1662aef31719cf0c16d0c1514232cb2f5366ffd8
SHA1 hash: dae7f2987a406e2cb496e38cfb7995fce091e565
MD5 hash: 5d2423ef31627e3095afee9f11230c8e
humanhash: stream-bulldog-social-mountain
File name:nigga.exe
Download: download sample
Signature Chaos
Create hunting rule
File size:183'296 bytes
First seen:2025-07-24 14:36:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 3072:fuujVE4DwpBbjSG9X6BT+bZZZ/r6IL3L9jFpxO279q78PbrcpmJqS3:2JljSG9K1+RrR79jbSPpmJ
TLSH T19504F81437FA4624F2BF9F7868B142418A77B956EC36C74E098E109E0B73B948961F73
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
emotet
Create hunting rule
ID:
1
File name:
nigga.exe
Verdict:
Malicious activity
Analysis date:
2025-07-16 21:19:02 UTC
Tags:
conti ransomware blackmatter emotet stealer uac lockbit3 darkside lockbit
Link:
https://app.any.run/tasks/8b9ae68d-3141-4965-88d6-cf97508a9e15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HakunaMatata
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16620/
Detection(s):
Win.Ransomware.Zusy-10043806-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688244f684b37dd61ef154df
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Deleting volume shadow copies
Launching the process to interact with network services
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Ransom.BlackMatter.A.Generic
Link:
https://www.hybrid-analysis.com/sample/b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/594a9f51-059b-4c92-8838-0a0830ad3989
Result
Threat name:
Babuk, DarkSide
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743458
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Disables security and backup related services
Found ransom note / readme
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Windows Service Tampering
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Yara detected Babuk Ransomware
Yara detected DarkSide Ransomware
Yara detected Python Ransomware
Yara detected RansomwareGeneric12
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1743458 Sample: nigga.exe Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Found ransom note / readme 2->63 65 16 other signatures 2->65 8 nigga.exe 1 2 2->8         started        process3 file4 57 C:\Users\user\AppData\...\README.d2776a2f.TXT, ASCII 8->57 dropped 67 May disable shadow drive data (uses vssadmin) 8->67 69 Contains functionality to start a terminal service 8->69 71 Contains functionality to hide user accounts 8->71 73 6 other signatures 8->73 12 vssadmin.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 13 other processes 8->19 signatures5 process6 signatures7 75 Deletes shadow drive data (may be related to ransomware) 12->75 21 conhost.exe 12->21         started        23 net.exe 1 15->23         started        25 conhost.exe 15->25         started        27 net.exe 1 17->27         started        29 conhost.exe 17->29         started        31 net.exe 1 19->31         started        33 net.exe 1 19->33         started        35 net.exe 1 19->35         started        37 23 other processes 19->37 process8 process9 39 net1.exe 1 23->39         started        41 net1.exe 1 27->41         started        43 net1.exe 1 31->43         started        45 net1.exe 1 33->45         started        47 net1.exe 1 35->47         started        49 net1.exe 1 37->49         started        51 net1.exe 1 37->51         started        53 net1.exe 1 37->53         started        55 6 other processes 37->55
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/5d2423ef31627e3095afee9f11230c8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd/
Verdict:
Malicious
Threat:
Trojan.Win32.Vimditator
Link:
https://tip.neiki.dev/file/b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd
Threat name:
ByteCode-MSIL.Ransomware.BlackMatter
Create hunting rule
Status:
Malicious
First seen:
2025-07-24 17:30:18 UTC
AV detection:
21 of 22 (95.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wazdgwjco6goici4l4i7tedoi6nyfv5qflwmnmtiuroopmgrj7gq._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
emotet
Create hunting rule
blackmatter
Create hunting rule
Similar samples:
error
Chaos
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion evasion execution impact persistence ransomware
Link:
https://tria.ge/reports/250724-rzbcbazzhz/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Deletes shadow copies
Modifies boot configuration data using bcdedit
Verdict:
Malicious
Tags:
ransomware chaos clop Win.Ransomware.Zusy-10043806-0
YARA:
MALWARE_Win_Chaos Windows_Ransomware_Clop_e04959b5
Link:
https://app.threat.zone/submission/30a09184-f864-469b-852a-09f1187992f6
Unpacked files
SH256 hash:
b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd
MD5 hash:
5d2423ef31627e3095afee9f11230c8e
SHA1 hash:
dae7f2987a406e2cb496e38cfb7995fce091e565
Link:
https://www.unpac.me/results/d5ff59bf-b578-4d29-8439-c71b70410ea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b032335922778ce4091c5f11f9906e479b82d7b02aecc6b268a45ce7b0d14fcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Darkside
Create hunting rule
Author:@bartblaze
Description:Identifies Darkside ransomware.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
Author:ditekSHen
Description:Detects executables containing commands for clearing Windows Event Logs
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:MALWARE_Win_HakunaMatata
Create hunting rule
Author:ditekSHen
Description:Detects HakunaMatata ransomware
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Base64_Xor_Implementation
Create hunting rule
Author:Jonathan Peters (cod3nym)
Description:Detects .NET applications implementing xor encryption/decryption for Base64 strings
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Ransomware_Clop_e04959b5
Create hunting rule
Description:Identifies CLOP ransomware in unpacked state
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.clop
Rule name:Windows_Ransomware_Clop_e04959b5
Create hunting rule
Author:Elastic Security
Description:Identifies CLOP ransomware in unpacked state
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.clop
Rule name:xtreme_rat
Create hunting rule
Author:Kevin Falcoz
Description:Xtreme RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16620/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments