MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Chaos

Vendor detections: 18

Intelligence 18 IOCs YARA 11 File information Comments

SHA256 hash:	e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1
SHA3-384 hash:	ca9bd48e1627d7591690ed31fc45e76f877749e7060d03eeb8f22ce891257124050d4e00729c9c0ab4ff9f55b4934747
SHA1 hash:	2e9b9e0c5e4f33840deec09eee167026f7d850c1
MD5 hash:	3ebd769b2779b0f2c8e3a7ddc2b49c59
humanhash:	sweet-winter-east-ack
File name:	Bank Payment account.pdf.exe
Download:	download sample
Signature	Chaos Create hunting rule
File size:	622'279 bytes
First seen:	2025-09-30 15:28:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c75a83e117d2bdfb2814c53e840c172 (4 x SalatStealer, 3 x QuasarRAT, 2 x XWorm)
ssdeep	12288:khoVY2+LfWvRSECKG4iRkTqoSdAAi70QXjqBX:kb2+CvRSEHiRkTqXAT70QXjs
Threatray	315 similar samples on MalwareBazaar
TLSH	T1B7D44CE4E79440B9D0A3957988378653F633780E4F649A4F17E1BE5B3E33381892AB53
TrID	92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10522/11/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.7% (.EXE) OS/2 Executable (generic) (2029/13) 0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Anonymous
Tags:	Chaos exe

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware family:

ryuk

ID:

File name:

e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1.exe

Verdict:

Malicious activity

Analysis date:

2025-09-30 15:39:26 UTC

Tags:

auto-startup chaos ryuk ransomware crypto-regex

Link:

https://app.any.run/tasks/cd54c64f-db1e-449e-b3ab-305e1f17add2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Chaos

Link:

https://www.capesandbox.com/analysis/29598/

Detection(s):

SecuriteInfo.com.W64.Kryptik.GWG.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dbf7277d643f33eab8d063

Tags:

underscore ransomware dropper micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files directory

Creating a process from a recently created file

Creating a file in the %temp% directory

Creating a process with a hidden window

Launching a process

Creating a file

Creating a file in the %AppData% directory

Changing a file

Creating a file in the %AppData% subdirectories

Running batch commands

Unauthorized injection to a recently created process

Creating a file in the mass storage device

Deleting volume shadow copies

Preventing system recovery

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm fingerprint installer masquerade microsoft_visual_cc obfuscated overlay packed packer_detected ransomware sfx

Link:

https://www.filescan.io/uploads/68dbf7532b7951718db8ba00/reports/28789c54-0178-489b-9f1a-9ff8eeb36d33/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-28T07:40:00Z UTC

Last seen:

2025-09-28T07:40:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/cf4bea41-7741-4c2a-8963-57694b57c556

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1/

Verdict:

Malicious

Threat:

Family.CHAOS

Link:

https://tip.neiki.dev/file/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-09-27 18:16:59 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4nxtd32mk2ern37ewrvguvvcxrc7q6yixoooonuu6322fsxz47qq._file

Verdict:

malicious

Label(s):

chaos

unc_loader_063

Chaos

26f9d0439f902a40aeff9e48630fb12a004858c06b0b9f4cacf157951617de51

Chaos

2ed5fceeb801a4c83914ceff3ac46166490682b81bf481db4687cd1d6b0a16c2

Chaos

63c4b6af6ba82506643626a6bc93c235e17d311d45c6affd73d56c327015bd4b

Chaos

7e84f42879e6649dc59f4a1f10e77e6fbab29702f1723d63a617cad58b7448b6

Chaos

edeb8e2f37243ae8620ab353026940c6b4fe5d2078b506298ed7aff227c17c18

Chaos

error

Chaos

+ 305 additional samples on MalwareBazaar

Result

Malware family:

chaos

Score:

10/10

Tags:

family:chaos adware defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Link:

https://tria.ge/reports/250930-sw34laaj2x/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Interacts with shadow copies

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops desktop.ini file(s)

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes backup catalog

Deletes shadow copies

Modifies boot configuration data using bcdedit

Chaos

Chaos Ransomware

Chaos family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/01fcb9a5-2af3-49d0-b419-c002b2162611

Unpacked files

SH256 hash:

e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1

MD5 hash:

3ebd769b2779b0f2c8e3a7ddc2b49c59

SHA1 hash:

2e9b9e0c5e4f33840deec09eee167026f7d850c1

Link:

https://www.unpac.me/results/66368901-e26a-4d42-ae48-4faf2c9d42eb/

SH256 hash:

3d1db014c8d0cdd2521d7717382095727282010a28e0865928612f53349c7c01

MD5 hash:

bdaacf8a47c625347c312efee2470885

SHA1 hash:

6577605543208bfd5b7e47da6b1c27398f3cc409

Link:

https://www.unpac.me/results/66368901-e26a-4d42-ae48-4faf2c9d42eb/

Malware family:

Chaos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e36f31ef4c56/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e36f31ef4c568916efe4b46a6a56a2bc45f87b08bb9ce73694f6f5a2caf9e7e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_RANSOM_COVID19_Apr20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	MAL_RANSOM_COVID19_Apr20_1_RID2ECC Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29598/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample