MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Havoc

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967
SHA3-384 hash:	56ff3d80923896e58c8e803b89f6331aeb1e034dc2bdc499662227385ffcd6a9d7c78197ae2034395401ef451630b6ae
SHA1 hash:	4af59348b12fe40250fb3f4c36ae3f71204b4ba3
MD5 hash:	230bb9bc6687bc4b0bc05e017d339a03
humanhash:	march-freddie-ink-nine
File name:	old.exe
Download:	download sample
Signature	Havoc Create hunting rule
File size:	118'784 bytes
First seen:	2026-03-21 19:24:37 UTC
Last seen:	2026-03-22 20:23:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c1f4358211a66fe3d457f3e6f5983347 (4 x Havoc)
ssdeep	3072:RVJxf4ZIk+bV1YvW8hMtYxLK5B2xS9aAHyYfP:RxoZv9MudK5ubAHfP
TLSH	T1B5C3024666812DFED5436332C35A87F6F630958047720FBF8624C9396E108D8EEAF679
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	burger
Tags:	exe Havoc

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

old.exe

Verdict:

No threats detected

Analysis date:

2026-03-21 19:23:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d14101cc-3d1f-49f2-9e19-87b280521ef5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bef0afaacb4c376b128ce8

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Win64/Injector_AGeneric.GR trojan

Link:

https://www.hybrid-analysis.com/sample/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967

Verdict:

Malicious

File Type:

exe x64

Detections:

HEUR:Backdoor.Win64.C2.h Backdoor.Win64.Shellcode.sbb PDM:Trojan.Win32.Generic Backdoor.C2.HTTP.ServerRequest Exploit.CVE-2024-41570.HTTP.C&C

Link:

https://opentip.kaspersky.com/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967/results?tab=lookup

Malware family:

Havoc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00eb2c5f-612b-4823-a3ad-a9b975af3f30

Result

Threat name:

Havoc

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1887231

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for submitted file

Unusual module load detection (module proxying)

Yara detected Havoc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967/

Verdict:

Malicious

Threat:

Family.HAVOC

Link:

https://tip.neiki.dev/file/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967

Threat name:

Win64.Backdoor.Meterpreter

Status:

Suspicious

First seen:

2026-03-21 19:25:54 UTC

File Type:

PE+ (Exe)

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygwvc5ohxk2qgqmqawkxs4jlfu4l2aip5qmrwafdocnvjtkenftq._file

Verdict:

malicious

Label(s):

havoc

Similar samples:

error

Havoc

Result

Malware family:

havoc

Score:

10/10

Tags:

family:havoc backdoor

Link:

https://tria.ge/reports/260321-x46lxacx8q/

Behaviour

Detects Havoc payload

Havoc family

Havoc, HavocC2

Unpacked files

SH256 hash:

c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967

MD5 hash:

230bb9bc6687bc4b0bc05e017d339a03

SHA1 hash:

4af59348b12fe40250fb3f4c36ae3f71204b4ba3

Link:

https://www.unpac.me/results/9aea82d9-fa4f-46db-8eb6-47884f5f6717/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/c1ad5175c7bab5034190059579712b2d38bd010fec191b00a3709b54cd446967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.