MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b
SHA3-384 hash:	eccca5e44577dcdf5efd11fa44f1ac136838d6939394e4fbcc940cf4c3a91a0572f6e853a1a856a1a2d0e002b77b6138
SHA1 hash:	a810f5e393b714af5f9c0ab0e1aa92a62c80e4d2
MD5 hash:	04628328ac01e764d7c2adac95fc754a
humanhash:	six-golf-eighteen-social
File name:	1.exe
Download:	download sample
File size:	983'040 bytes
First seen:	2026-06-01 13:31:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	18fd7d37c86cbc5180c571d947a9e623
ssdeep	12288:ii9CUy39ifguyr6QLyEH3W1BS4SG+Kne/EAm5mY9v/Zho6WoWcPqu8:ii93y3e/yr6Sys3+5SvKnNZzWcPe
TLSH	T1C0259F02B1D2C0F2C5151A7115B6633A9AB58B0A4B3DCAC7E7E4FD7D7C32292EB32159
TrID	36.0% (.EXE) InstallShield setup (43053/19/16) 26.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 13.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.4% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika	pebin
dhash icon	a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter	BlinkzSec

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b.exe

Verdict:

No threats detected

Analysis date:

2026-06-01 13:31:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/59bf2c7b-9746-41bd-87d5-ae581b224c92

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68713/

Detection(s):

Win.Malware.Gotango-7000352-0

Win.Malware.Agen-7172367-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a1d89cc5a2e3b5e58e4f925

Tags:

flystudio farfli

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-06-01T11:08:00Z UTC

Last seen:

2026-06-03T04:26:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c322d40d-e204-4449-abc7-6a953ffa15e8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-06-01 12:54:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqxlrhbr2klqupb7szl4nzoeoaiifu3uvcfsybvu767mbog4uy5q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/260601-qsln2adz5w/

Behaviour

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Unpacked files

SH256 hash:

bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

MD5 hash:

04628328ac01e764d7c2adac95fc754a

SHA1 hash:

a810f5e393b714af5f9c0ab0e1aa92a62c80e4d2

Link:

https://www.unpac.me/results/8dcbb4e0-496b-4c63-9d1e-628ef8778c20/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Generic_Threat_bc6ae28d Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe bc2eb89c31d2970a3c3f9657c6e5c4701082d374a88b2c06b4ffbec0b8dca63b

(this sample)

Cape

https://www.capesandbox.com/analysis/68713/

URLhaus

https://urlhaus.abuse.ch/url/3857117/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample