MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3
SHA3-384 hash: 33016b7d0c854b4e601d48ea0278cb4eb9b2fe654d2477e6b858d54465d76c561f60d4baa76f6f63d959b71e0522e075
SHA1 hash: bc096c440ed76c34983aacf44b31b9ca813cc29a
MD5 hash: 5df9633cc3c84dc5727b7ea9826e2e68
humanhash: carbon-football-india-golf
File name:raw_cbot.exe
Download: download sample
File size:17'920 bytes
First seen:2026-01-09 17:15:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b2df774f65211b4962a056c4da67248
ssdeep 384:k6ybHcXZwzVocxbwfqcW3oZwYLFUHSK14Sy7fsR5W94tW8f:keoocmqcCojISY4SybsR3
TLSH T16A82B04623B09E9DF1EC43F0582D51776777BCB4AF998F9D1F8850690901E20E85067A
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe UPX
File size (compressed) :17'920 bytes
File size (de-compressed) :38'400 bytes
Format:win64/pe
Unpacked file: 40224df359e293764ad6543455f3e0b58395b550d2baa85f325c75655a90c140

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/b8863eb0-e7b4-4e3a-8e2b-b8fe210d8e52/
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Nuclear Bomb.zip
Verdict:
Malicious activity
Analysis date:
2026-01-09 13:57:12 UTC
Tags:
arch-exec auto metasploit framework python stealer stealc anti-evasion powershell xenorat rat salatstealer credentialflusher barys github purecrypter quasar evasion telegram clipper diamotrix loader phishing purelogs asyncrat possible-phishing generic svc clickfix coinminer miner irc meshagent rmm-tool amadey botnet formbook tinynuke guloader havoc tool deerstealer pushware adware koistealer offloader remote cobaltstrike muckstealer lumma anydesk putty powershellempire mimikatz xmrig donutloader xworm koiloader ghostsocks proxyware vidar njrat xred meterpreter remcos wannacry ransomware gh0st hijackloader bruteratel screenconnect rdp blankgrabber redline rhadamanthys cryptowall networm amus stealerium websocket azorult pyinstaller cryptolocker pastebin dcrat darkcrystal autohotkey delphi ims-api crypto-regex susp-powershell xor-url jeefo bladabindi smb noescape wiper whitesnakestealer scan smbscan dharma ddr seetrol upx golang pythonstealer
Link:
https://app.any.run/tasks/359c61eb-3e33-4d29-ab6f-0d1bdc2f59ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48392/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696137d09922425f92ff4c6e
Tags:
backdoor autorun botnet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/696137c807ef5fa68e82faed/reports/4626fbfe-65f1-48e0-b138-f3676be65436/overview
Verdict:
Malicious
Labled as:
Trojan[Ransom]/MSIL.HiddenTear
Link:
https://www.hybrid-analysis.com/sample/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-09T11:07:00Z UTC
Last seen:
2026-01-09T23:51:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Reconyc.sb HEUR:Trojan.Win64.Generic VHO:Trojan.Win32.Scar.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9fed31b-b31b-4d0a-b2a8-3709e9e18b41
Result
Threat name:
DDOS Bot
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1847506
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Found API chain indicative of debugger detection
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected DDOS Bot
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/5df9633cc3c84dc5727b7ea9826e2e68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3/
Verdict:
Malicious
Threat:
Trojan.Win32.Reconyc
Link:
https://tip.neiki.dev/file/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2026-01-09 16:02:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qg7s4jzxf7643fcvfdxk4zoyl5pfywuawyhwkz2nluqzlwt36orq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/260109-vsy2ksbx6c/
Behaviour
UPX packed file
Drops startup file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ac42c21-62bb-4afe-b65f-a5829489c799
Unpacked files
SH256 hash:
81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3
MD5 hash:
5df9633cc3c84dc5727b7ea9826e2e68
SHA1 hash:
bc096c440ed76c34983aacf44b31b9ca813cc29a
Link:
https://www.unpac.me/results/eabaa607-d770-429d-b583-10c026ff65bb/
SH256 hash:
40224df359e293764ad6543455f3e0b58395b550d2baa85f325c75655a90c140
MD5 hash:
fff17e1faae9b6cea6de21f2799ae64b
SHA1 hash:
1748f8e0f0060e7e0a43db1559486bec24d23b1c
Link:
https://www.unpac.me/results/eabaa607-d770-429d-b583-10c026ff65bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 81bf2e27372ffdcd945528eeae65d85f5e5c5a80b60f65674d5d2195da7bf3a3

(this sample)

Executable exe 40224df359e293764ad6543455f3e0b58395b550d2baa85f325c75655a90c140

Cape
Cape
https://www.capesandbox.com/analysis/48392/
  
URLhaus
https://urlhaus.abuse.ch/url/3743572/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 40224df359e293764ad6543455f3e0b58395b550d2baa85f325c75655a90c140
  
Dropping
MD5 fff17e1faae9b6cea6de21f2799ae64b

Comments