MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170
SHA3-384 hash:	a15eaed3fca6582bd33289a0c3f6d2fa4e84cca825f94c0ad413315575d9ba29c2df1f1f234bd8ff3b6a466a31881ee0
SHA1 hash:	7eb2806f38e8f6f4c7345cdf9d5d6674eff96c6f
MD5 hash:	87ed7e4a0ef6ad0adeb9c4e156b7d3dc
humanhash:	florida-utah-enemy-lactose
File name:	raw_cbot_debug.exe
Download:	download sample
File size:	31'232 bytes
First seen:	2025-12-20 10:15:40 UTC
Last seen:	2025-12-20 11:30:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b2df774f65211b4962a056c4da67248
ssdeep	768:oA9wAsk5uWLfuT98npCJpkoar+XqAjNVXxJfBQeeDq:oBARu8uhfpkFSqAjNVhJ5QeeDq
TLSH	T1CFE2E1413EFA629CE0E2AE7A22E49601E17EF55A5D4E83892F09804F19D095BCD37E31
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	BlinkzSec
Tags:	exe mirai UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	31'232 bytes
File size (de-compressed) :	61'440 bytes
Format:	win64/pe
Unpacked file:	428184b3fa70f4680bb776c214eb07bb4ef7507586a69d2b4ba8d0e23b67d101

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/ef1508a2-2296-4f69-a674-77bdf4d0c632/

Malware family:

n/a

ID:

File name:

raw_cbot_debug.exe

Verdict:

Suspicious activity

Analysis date:

2025-12-20 10:18:32 UTC

Tags:

auto-startup upx

Link:

https://app.any.run/tasks/56a3597c-bf38-4d42-92bf-935d0656c771

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45567/

Detection(s):

SecuriteInfo.com.FileRepMalware.35368461.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69467773ee899ae4567f1502

Tags:

backdoor autorun virus spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug barys crypto fake packed packed packed unsafe upx

Link:

https://www.filescan.io/uploads/6946776f3f8fdbf8e94ce936/reports/e44bb793-e173-4f0c-be39-43a9fce5cd5b/overview

Verdict:

Malicious

Labled as:

Trojan[Ransom]/MSIL.HiddenTear

Link:

https://www.hybrid-analysis.com/sample/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-20T07:13:00Z UTC

Last seen:

2025-12-21T19:24:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win64.Generic VHO:Trojan.Win32.Agent.gen PDM:Trojan.Win32.Generic Trojan.Win32.Reconyc.sb RemoteAdmin.LiteManager.TCP.C&C

Link:

https://opentip.kaspersky.com/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a973149-42ca-4c80-937e-038b33a5e4f5

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/87ed7e4a0ef6ad0adeb9c4e156b7d3dc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170/

Verdict:

Malicious

Threat:

RemoteAdmin.LiteManager.TCP

Link:

https://tip.neiki.dev/file/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170

Threat name:

Win64.Trojan.Sonbokli

Status:

Malicious

First seen:

2025-12-20 10:16:18 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqpkjnprfkmrxititulxf73zlx4mouj6ffvvk6bbvy7ulxuoufya._file

Result

Malware family:

n/a

Score:

7/10

Tags:

upx

Link:

https://tria.ge/reports/251223-nv1vmawlaz/

Behaviour

UPX packed file

Drops startup file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6a995b6f-923d-4f0c-9fd9-42f3eef30a98

Unpacked files

SH256 hash:

1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170

MD5 hash:

87ed7e4a0ef6ad0adeb9c4e156b7d3dc

SHA1 hash:

7eb2806f38e8f6f4c7345cdf9d5d6674eff96c6f

Link:

https://www.unpac.me/results/1fa7c103-b1bb-4457-8cdf-39a1558a36cb/

SH256 hash:

428184b3fa70f4680bb776c214eb07bb4ef7507586a69d2b4ba8d0e23b67d101

MD5 hash:

b252fb0520a86dc1eb0b8c31cdbd804f

SHA1 hash:

b4b1148a11740af9ef744f916b1bf345cbc13d17

Link:

https://www.unpac.me/results/1fa7c103-b1bb-4457-8cdf-39a1558a36cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/1c1ea4b5f12a991ba2689d1772ff795df8c7513e296b557821ae3f45de8ea170

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.