MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754
SHA3-384 hash:	5f7129a1993e4ec9b3a19cbf277147554f7323642f7d6babff501889967dbdf550abab9001dc0408c0107040f15a62fe
SHA1 hash:	8f326e2fb8a7d4bdcf8b535aca0b91d9dbb49f4f
MD5 hash:	0c41e49b7d372e7e8137bfae9f194d69
humanhash:	victor-oxygen-oranges-nebraska
File name:	cbot.exe
Download:	download sample
File size:	75'264 bytes
First seen:	2025-12-23 17:15:52 UTC
Last seen:	2025-12-23 17:15:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	39f1222cf62e3e9db794884fb1d02403
ssdeep	768:OvN3/UzbFEt6ocu2bwyEFkJtDGukUpGIe0hs2msRxstUtW7XLZuvz1bNDLKGlqkO:q/jYu1F0rv/7nECtIL0vzGGqkUV
TLSH	T1CD733B17B34368F9C526C1748AEF6733EA31B8671630AF6F2758D6341F21E506E6EA10
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 653b90d033d7e977f2161f77f4e70d30eab30840fd1d238eb051e3ea7bc13520

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	34'816 bytes
File size (de-compressed) :	75'264 bytes
Format:	win64/pe
Packed file:	653b90d033d7e977f2161f77f4e70d30eab30840fd1d238eb051e3ea7bc13520

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

xmrig

ID:

File name:

cbot.exe

Verdict:

Malicious activity

Analysis date:

2025-12-23 17:16:47 UTC

Tags:

auto-startup xmrig

Link:

https://app.any.run/tasks/fc02b5ca-811e-4cba-a73e-91a69115681c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45895/

Detection(s):

Win.Malware.Malwarex-10058597-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694ace78038f10550b5522ea

Tags:

autorun xmrig

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug crypto fingerprint lolbin netsh packed schtasks update xmrig

Link:

https://www.filescan.io/uploads/694ace6629529c74a2f546d5/reports/aa13f791-d57b-493f-bcda-408518edf40a/overview

Verdict:

Malicious

Labled as:

Trojan_Win32_CoinMiner_CF_bit

Link:

https://www.hybrid-analysis.com/sample/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-22T09:54:00Z UTC

Last seen:

2025-12-23T11:18:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Reconyc.sb HEUR:Trojan.Win64.Generic

Link:

https://opentip.kaspersky.com/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f7257159-ba1a-45fa-a40c-027890f64d9c

Result

Threat name:

DDOS Bot, Xmrig

Detection:

malicious

Classification:

troj.adwa.expl.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1838339

Signature

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the startup folder

Found strings related to Crypto-Mining

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected DDOS Bot

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/0c41e49b7d372e7e8137bfae9f194d69

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-12-22 17:25:52 UTC

File Type:

PE+ (Exe)

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ghsd4xjwy6cs6ckt5fbr3hvcpompkirruqs5jdiuxun4s65uo5ka._file

Gathering data

Verdict:

Suspicious

Tags:

cryptojacking xmrig

YARA:

SUSP_XMRIG_String

Link:

https://app.threat.zone/submission/7156b7e8-d672-4cbe-9841-6053e7eabcaa

Unpacked files

SH256 hash:

31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

MD5 hash:

0c41e49b7d372e7e8137bfae9f194d69

SHA1 hash:

8f326e2fb8a7d4bdcf8b535aca0b91d9dbb49f4f

Detections:

SUSP_XMRIG_String

Link:

https://www.unpac.me/results/ae2debbe-a8fb-4547-bc76-7e92fd8145ce/

Parent samples :

653b90d033d7e977f2161f77f4e70d30eab30840fd1d238eb051e3ea7bc13520
fca41f17c29ff73b6912f42514df11d2b4747fec552efa86ac707f8ac265614b
31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	SUSP_XMRIG_String Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a suspicious XMRIG crypto miner executable string in filr
Reference:	Internal Research

Rule name:	SUSP_XMRIG_String_RID2D18 Create hunting rule
Author:	Florian Roth
Description:	Detects a suspicious XMRIG crypto miner executable string in filr
Reference:	Internal Research

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)