MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0
SHA3-384 hash: 4aba3e7f24aab893f2e9027177648528a358c2b0ff7958ac55de4d0751d3c2889a8d11b8d24ad2adbf21f6929ee0a27c
SHA1 hash: 972f5bccfaed3dc6a34b751c83067fc571de1da1
MD5 hash: 2aa341bbbd08b13dc67180290ff3744e
humanhash: single-video-pennsylvania-golf
File name:cbot_debug.exe
Download: download sample
File size:17'920 bytes
First seen:2026-01-09 17:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b2df774f65211b4962a056c4da67248
ssdeep 384:o6ybHcXZwzVocxbwfqcW3oZwYLFUHSK14StPsR4W94tW8f:oeoocmqcCojISY4S5sR8
TLSH T1D182B04B23B09F9DF1ED43F0582D516AA3377CA4AF998B5E1F88506D0A02D24EC9067A
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe UPX
File size (compressed) :17'920 bytes
File size (de-compressed) :38'400 bytes
Format:win64/pe
Unpacked file: bb49e1d658fdf68519c0272098666a7a88fadd4aee16455993bc3dd54fb0b365

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/64ddb0bd-2e8e-4cd5-bc12-cca41f322bfa/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2to1ep.exe
Verdict:
Malicious activity
Analysis date:
2026-01-09 15:16:25 UTC
Tags:
auto metasploit framework python stealer stealc github barys possible-phishing powershell clickfix anti-evasion irc telegram bdaejec backdoor purecrypter meshagent rmm-tool amadey botnet pastebin evasion phishing miner networm amus salatstealer pyinstaller anydesk putty xmrig adware remote xworm neshta remcos rat noescape wiper smb jigsaw ransomware clipper diamotrix scan smbscan wannacry discord dcrat darkcrystal asyncrat loader crypto-regex delphi generic havoc tool koistealer tinynuke guloader svc cobaltstrike purelogs pushware coinminer donutloader vidar rustystealer muckstealer mimikatz ghostsocks proxyware njrat xred koiloader xenorat bruteratel meterpreter gh0st blankgrabber lumma powershellempire worm stealerium redline rhadamanthys whitesnakestealer seetrol screenconnect rdp ramnit deerstealer koi azorult websocket dharma offloader xor-url
Link:
https://app.any.run/tasks/cc678e1e-9631-42f3-80b7-e7a5fe8601ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48393/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696137dcf50945831dff591b
Tags:
backdoor autorun botnet remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug barys crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/696137c630368802bb7e266c/reports/45385d84-4abf-4eb4-b87a-d1ce43c911b5/overview
Verdict:
Malicious
Labled as:
Trojan[Ransom]/MSIL.HiddenTear
Link:
https://www.hybrid-analysis.com/sample/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-09T16:31:00Z UTC
Last seen:
2026-01-10T00:37:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win64.Generic VHO:Trojan.Win64.Agent.gen PDM:Trojan.Win32.Generic Trojan.Win32.Reconyc.sb RemoteAdmin.LiteManager.TCP.C&C
Link:
https://opentip.kaspersky.com/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/483ed386-b2b9-4b7e-8318-1550c587fbdd
Result
Threat name:
DDOS Bot
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1847505
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Found API chain indicative of debugger detection
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected DDOS Bot
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/2aa341bbbd08b13dc67180290ff3744e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0/
Verdict:
Malicious
Threat:
RemoteAdmin.LiteManager.TCP
Link:
https://tip.neiki.dev/file/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2026-01-09 17:16:40 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acjasirb4b24wnj5vmp7jexl36xphb4jqrakzfmjphnnspk3cdia._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/260109-vsz9msbx6d/
Behaviour
UPX packed file
Drops startup file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/785e1bfe-3a88-4cbc-8b7a-779b46d5ac21
Unpacked files
SH256 hash:
0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0
MD5 hash:
2aa341bbbd08b13dc67180290ff3744e
SHA1 hash:
972f5bccfaed3dc6a34b751c83067fc571de1da1
Link:
https://www.unpac.me/results/a008b3d0-00b1-4c38-a27e-d7c99d35b34f/
SH256 hash:
bb49e1d658fdf68519c0272098666a7a88fadd4aee16455993bc3dd54fb0b365
MD5 hash:
b78e3e1f4e55bed63917e3a0d9522f36
SHA1 hash:
8ba1b49d86d6080adbaf2770fe1988abe7b9ee7c
Link:
https://www.unpac.me/results/a008b3d0-00b1-4c38-a27e-d7c99d35b34f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0092092221e075cb353dab1ff492ebdfaef387898440ac958979dad93d5b10d0

(this sample)

Executable exe bb49e1d658fdf68519c0272098666a7a88fadd4aee16455993bc3dd54fb0b365

Cape
Cape
https://www.capesandbox.com/analysis/48393/
  
URLhaus
https://urlhaus.abuse.ch/url/3743574/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 bb49e1d658fdf68519c0272098666a7a88fadd4aee16455993bc3dd54fb0b365
  
Dropping
MD5 b78e3e1f4e55bed63917e3a0d9522f36

Comments