MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2
SHA3-384 hash: 5d8323aef3b5514bc73c4ed8d377a7d26837525627cd5ee97825c0746339dc229c3cb7e3fd2371292456cdd2f0f2e96b
SHA1 hash: da45dac630fc424a22f6ac92979b42ea6ea0dfea
MD5 hash: 21ddf38989052d7e577367980dfbe2f5
humanhash: triple-speaker-skylark-stairway
File name:erto3e4rortoergn.exe
Download: download sample
File size:41'594'880 bytes
First seen:2026-03-16 13:19:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 935f401fbefe56e6277c13307758a82c
ssdeep 786432:jLZAGwbkr6vmnYar8mJGvA1QVGqmbPjMyuhhn9Acsrdu:vZAGwwrAK5tGvAEGdPI9hbY4
TLSH T1EE9723D399DA62F8C0C70A08514E518FB5C165FEC9FE9A0D1ACBAC031951FEA498DB73
TrID 44.6% (.EXE) Win64 Executable (generic) (6522/11/2)
14.0% (.ICL) Windows Icons Library (generic) (2059/9)
13.8% (.EXE) OS/2 Executable (generic) (2029/13)
13.7% (.EXE) Generic Win/DOS Executable (2002/3)
13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8043c93b644ca466a9452
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1884257
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-13 08:36:18 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zdbscwmdddut24uchchpv6lcdh5pprdr5mkcon7wvaxjj5yehja._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/260316-qk773ags9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RustyStealer

rar 84de426c5c053e05a1128ba21e5664ee759cc4bc4983a3972e669bc6dff3023f

Executable exe ee46190acc18c749eb9411c477d7cb10cfd7be238f58a139bfb54174a7b821d2

(this sample)

  
Dropped by
SHA256 84de426c5c053e05a1128ba21e5664ee759cc4bc4983a3972e669bc6dff3023f
  
Dropped by
MD5 3ec7f152d8675d758d8766a2356bf3a4

Comments