MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410
SHA3-384 hash:	d2a825e3d9c3f4ef396aadff27610ce11a382cd532c4b249f7903c36a561379fe3d74665ff1c143843c5c09512979718
SHA1 hash:	e26febc3a5dffb44053a99d29a19905b9a2c493d
MD5 hash:	cc0a38a508a8d9c5511262a8c45282ba
humanhash:	mobile-lima-sink-louisiana
File name:	reverse_shell.exe
Download:	download sample
File size:	125'028 bytes
First seen:	2025-06-17 06:09:29 UTC
Last seen:	2025-06-17 12:38:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a9ae1b8d67c81e179c30bd3aeeb0e9e4
ssdeep	1536:g9UkZLvBvKtLTtz6EquetSXyhjewFYtk7AtuUNoZs2LSGuvY28:ghZeLTLhrKGuN2028
TLSH	T16CC317C5EEC9ACEBD915133895EB83292338F6C55B834B131C3872351E53AD0AECB55A
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

reverse_shell.exe

Verdict:

No threats detected

Analysis date:

2025-06-17 07:18:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ec6ac7f2-95de-47cd-aa0f-bc447cf4d8fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/9798/

Gathering data

Result

Verdict:

Clean

Maliciousness:

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug overlay packed

Link:

https://www.filescan.io/uploads/685106effd02ed5e05aee006/reports/80d30042-0ef7-4dbf-801f-0c6572b57b2c/overview

Verdict:

Suspicious

Labled as:

Malware_

Link:

https://www.hybrid-analysis.com/sample/9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d68f1c7c-255c-482e-b27e-1440d429cbe1

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1716151

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-06-11 23:58:56 UTC

File Type:

PE+ (Exe)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqqqduulbrsqgqbbgodwnxljpzjiam4tkeicvxrzazjlisrk2qia._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250617-gwv77swybs/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/efe65a4b-6f26-47ab-8d4f-9998cbb499f2

Unpacked files

SH256 hash:

9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410

MD5 hash:

cc0a38a508a8d9c5511262a8c45282ba

SHA1 hash:

e26febc3a5dffb44053a99d29a19905b9a2c493d

Link:

https://www.unpac.me/results/315c216c-d20e-4411-a1a1-b68ac439d840/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 9c2101d28b0c65034021338766dd697e5280339351102ade390652b44a2ad410

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3562795/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/9798/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample