MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4
SHA3-384 hash:	b8c42a20a5660a5b51c273fceb456a0307b5c5e93ea8bb998b719928577a65b87f5d335e9d6ea93344cb2fb0417128a2
SHA1 hash:	aec2c4d0d16930a09816548f2d1c866385ab3d2f
MD5 hash:	91eb636f921e1ba9d3de13900b225b51
humanhash:	quiet-asparagus-early-single
File name:	raw_cbot.exe
Download:	download sample
File size:	32'768 bytes
First seen:	2025-12-23 17:14:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9e3c03122e5048a88cdc9a07d190f932
ssdeep	768:WwBVypcggl9b86YjGTkgzOnQXIMMrEac9nKmExG1Z+6sW5R:9rGcaxgkg8QXIXrc9lExazsW5R
TLSH	T16BE2E1671AF12ACFF1DB0E70A96B02B55EE5B6BD132C8B4C8D91166D1510E20CFF4972
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	32'768 bytes
File size (de-compressed) :	69'120 bytes
Format:	win64/pe
Unpacked file:	5825d9068ac063054cb745d7ba8a4745e0a56d8ac0e8c307034cdd1e9f612e80

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/cd14f4a5-5d5f-4e07-b6b4-c9d41ef645b7/

Malware family:

meterpreter

ID:

File name:

2to1ep.exe

Verdict:

Malicious activity

Analysis date:

2025-12-22 11:37:45 UTC

Tags:

auto metasploit framework python stealer powershell github backdoor meterpreter payload stealc possible-phishing clickfix amadey botnet phishing anti-evasion havoc tool svc miner generic guloader loader tinynuke koistealer telegram cobaltstrike njrat koiloader powershellempire bruteratel networm amus masslogger xred xenorat rat ghostsocks proxyware donutloader formbook uac coinminer gh0st evasion pyinstaller remcos azorult rhadamanthys redline asyncrat wannacry ransomware stealerium nanocore whitesnakestealer xmrig vipkeylogger keylogger bladabindi putty rmm-tool websocket purecrypter cryptowall screenconnect rdp neshta dcrat agenttesla quasar pushware adware clipper diamotrix hijackloader remote whitesnake netsupport muckstealer cryptolocker discord iqvw64-sys vuln-driver offloader pythonstealer lumma schoolboy arch-exec pastebin eicar-test xworm vidar koi snake

Link:

https://app.any.run/tasks/7edbde01-47a9-4988-b0e3-56824125ec35

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45888/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694ace3d038f10550b5522cf

Tags:

downloader autorun dropper virus

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-22T12:35:00Z UTC

Last seen:

2025-12-22T13:07:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Reconyc.sb HEUR:Trojan.Win64.Generic RemoteAdmin.LiteManager.TCP.C&C

Link:

https://opentip.kaspersky.com/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d375c7e4-ae96-416b-9046-5fc48ac9cdff

Result

Threat name:

DDOS Bot, Xmrig

Detection:

malicious

Classification:

troj.adwa.expl.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1838350

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Drops PE files to the startup folder

Found strings related to Crypto-Mining

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected DDOS Bot

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/91eb636f921e1ba9d3de13900b225b51

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4

Threat name:

Win64.Trojan.Barys

Status:

Malicious

First seen:

2025-12-22 23:37:44 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zoooj7l7iip5we65kml2k7yel7mzy67td2hra6rrzi3mczxi4csa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

upx

Link:

https://tria.ge/reports/251225-nx89sawjg1/

Behaviour

UPX packed file

Drops startup file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7f418831-ca05-4b84-a39d-1fe36086d51a

Unpacked files

SH256 hash:

cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4

MD5 hash:

91eb636f921e1ba9d3de13900b225b51

SHA1 hash:

aec2c4d0d16930a09816548f2d1c866385ab3d2f

Link:

https://www.unpac.me/results/fdd417a3-9dff-4b6c-b96d-a69aea510458/

SH256 hash:

5825d9068ac063054cb745d7ba8a4745e0a56d8ac0e8c307034cdd1e9f612e80

MD5 hash:

010df58c12d6ab04b83dad0f97ef3181

SHA1 hash:

6ff1e7f7409628e6c7c4187b6f6cc2011209b0b2

Detections:

SUSP_XMRIG_String

Link:

https://www.unpac.me/results/fdd417a3-9dff-4b6c-b96d-a69aea510458/

Parent samples :

cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4
5825d9068ac063054cb745d7ba8a4745e0a56d8ac0e8c307034cdd1e9f612e80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb9ce4fd7f421fdb13dd5317a57f045fd99c7bf31e8f107a31ca36c166e8e0a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SUSP_XMRIG_String Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a suspicious XMRIG crypto miner executable string in filr
Reference:	Internal Research

Rule name:	SUSP_XMRIG_String_RID2D18 Create hunting rule
Author:	Florian Roth
Description:	Detects a suspicious XMRIG crypto miner executable string in filr
Reference:	Internal Research