MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98
SHA3-384 hash:	d56f0cf290d1a58f663780879fa95fc9799264513ba31310d3669ce8c91d7f04914b0ed05f326b7f72a7c409d0087a01
SHA1 hash:	95a16cde01e90251e7ee7c8e83d66ae501674efe
MD5 hash:	e6c9b3e784edfe1e7a4aa3e9dbc9d6bd
humanhash:	undress-three-king-uniform
File name:	AetherBeast.exe
Download:	download sample
File size:	26'090'352 bytes
First seen:	2026-06-24 12:01:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d54f439a5f27d050424502aee8cfa597
ssdeep	393216:aap0m05rZHbSXB1Vb0bvQMPJNxraxqjFRu5q4fVi+K/w3xiS8RedCXuFuOK:aap7muB1V8vQ2OIFRbyXb26C+VK
TLSH	T1CC4733C676514A3ECB628BFDE283A3EC94BA91050B32A5EF6E447E540B430E653777C4
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	ca59687561952c28
Reporter	kejult
Tags:	exe overlord RAT signed

Code Signing Certificate

Organisation:	Pearl Bay Software
Issuer:	Pearl Bay Software
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-06-14T18:23:38Z
Valid to:	2028-06-14T18:23:38Z
Serial number:	76b5903a5adf27b9408be8e299f541eb
Thumbprint Algorithm:	SHA256
Thumbprint:	8d80810c03348c8758d37376ef643de92f8d23fb2f8f4fb61a909f5facb2c212
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

https://workupload.com/file/8jL4xMR2jEj

Verdict:

Malicious activity

Analysis date:

2026-06-24 11:55:47 UTC

Tags:

qrcode overlord rat evasion stealer

Link:

https://app.any.run/tasks/64046550-834a-4245-9d39-db60fdda8fb4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71836/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.79322799.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3bc74b1548daf709f966f0

Tags:

virus

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug installer-heuristic lolbin microsoft_visual_cc packed reg signed

Link:

https://www.filescan.io/uploads/6a3bc73462d0679105fe5a40/reports/57665bb3-b22e-44e1-9c4e-a650e574484e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98

Verdict:

Clean

File Type:

exe x64

Link:

https://opentip.kaspersky.com/bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98/results?tab=lookup

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98

Gathering data

Verdict:

Malicious

Threat:

Family.SCARFACE

Link:

https://tip.neiki.dev/file/bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2026-06-20 03:47:51 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x6rw5mcy4j3oqcc6fro2xlpcdrui53rlhdmann2nusvfc2elr2ma._file

Result

Malware family:

n/a

Score:

8/10

Tags:

adware persistence ransomware spyware

Link:

https://tria.ge/reports/260624-n7dkvsbx8x/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates connected drives

Boot or Logon Autostart Execution: Active Setup

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfa36eb058e276e8085e2c5dabade21c688eee2b38d806b74da4aa51688b8e98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/