MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mofksys

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274
SHA3-384 hash:	becbf297e648c5518de48359845e6b8837d6a66fe785b8ed40563e2e7b1e986e7f3c61dd9eb46ac5a17cae3fb0b8fcef
SHA1 hash:	29faa90d20222e118d0cd3a01e2d0dddb3c2f914
MD5 hash:	2bc552a1f8cb995775c8121b476dcdd9
humanhash:	michigan-alabama-robin-fix
File name:	file
Download:	download sample
Signature	Mofksys Create hunting rule
File size:	8'095'817 bytes
First seen:	2025-08-19 14:59:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep	196608:+kbgJsau4PqC1qLAgz27O7PNYODgH0ZW0dTqnc52V:LbgFu4PqC1qLAgh71rzZJ2nc4
TLSH	T17C86E046A3E101F8D5A38238D45A431BF7B1741907719BCF33D44A522F63AE2AE7E729
TrID	42.6% (.EXE) Win32 Executable (generic) (4504/4/1) 19.4% (.ICL) Windows Icons Library (generic) (2059/9) 18.9% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	00928e8e8686b800 (21 x Mofksys, 9 x CryptOne, 5 x Amadey)
Reporter	jstrosch
Tags:	exe Mofksys

jstrosch

Found at hxxps://anonhax[.]site/uploads/Glorius_spoofer.exe by #subcrawl

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lcb_spoof_crack.exe

Verdict:

Malicious activity

Analysis date:

2024-11-27 19:05:16 UTC

Tags:

jeefo

Link:

https://app.any.run/tasks/aa868f56-4924-4310-bd75-a0d489cacc6d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22276/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a491bac2f5296a1a28500d

Tags:

blackshades swisyn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the Windows subdirectories

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Enabling the 'hidden' option for recently created files

Setting a single autorun event

Enabling a "Do not show hidden files" option

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm certutil hacktool lolbin mofksys netsh obfuscated overlay packed packer_detected remote swisyn threat virus visual_basic wmic

Link:

https://www.filescan.io/uploads/68a49460419c816a6e8c2369/reports/89085980-9d82-4cd0-8138-ee8576256342/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

Malware family:

MOFKSYS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/40496162-17d9-44cb-b703-9196e6dfbd45

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86

Link:

https://app.malva.re/file/2bc552a1f8cb995775c8121b476dcdd9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

Threat name:

Win32.Trojan.Swisyn

Status:

Malicious

First seen:

2024-10-23 23:52:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d3qzzixnndtsvtntpuodbpxumsrtb5tbk2bqwypmuyps3rbswj2a._file

Verdict:

malicious

Label(s):

mofksys

Similar samples:

error

Mofksys

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery persistence

Link:

https://tria.ge/reports/250819-spx9rsdr5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Executes dropped EXE

Modifies visibility of hidden/system files in Explorer

Verdict:

Malicious

Tags:

trojan Win.Tool.Zusy-10033075-0

YARA:

Windows_Generic_Threat_7526f106 Windows_Generic_Threat_cbe3313a

Link:

https://app.threat.zone/submission/330ae8c7-d9da-40ca-b054-50fa8faf858b

Unpacked files

SH256 hash:

1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

MD5 hash:

2bc552a1f8cb995775c8121b476dcdd9

SHA1 hash:

29faa90d20222e118d0cd3a01e2d0dddb3c2f914

Link:

https://www.unpac.me/results/e4bf04aa-f1c3-4bf4-b80c-6c32ae90c0de/

SH256 hash:

4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

MD5 hash:

1898ceda3247213c084f43637ef163b3

SHA1 hash:

d04e5db5b6c848a29732bfd52029001f23c3da75

Detections:

PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429

Link:

https://www.unpac.me/results/e4bf04aa-f1c3-4bf4-b80c-6c32ae90c0de/

Parent samples :

d16e147eaf8a76ab283053889fff5074b75af230f52f7197765363b22fc82445
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
d678623c64c737fd9c8372c8e67b9fcc536845c358626065fa92e40f5fe6c6c8
04cbe1f69bcd1cb359b78e2a7029fe296e3a50020a044cd297b9cce59560b794
d0223dec05ad601e9f2f18b4a539a7e7734966835c5d36dbc9dfcdcb346a20c7
1d679b6434ca87e87c226ff908f19221a09a885d1c0a33f8c868e5d45a440e7f
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
dd571e92f0c0c4fce65805d39e7af60e1655a1130d29fe17de97ccac1a13f605
c650e238437e0f95b1c5b32f7188b8ade8cb73e26cf624446ef410c6cf61c069
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f
62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
b22a8e33c9ef66da4d9b2e087be276965340c8320bd4eb334ec1757c8df33ff7
d79de2edd86c1c07b39eb3d113adf40719fbf3b5d60f6ffd39aeb356c2d175aa
b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
2d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
9b2e6a46fde02906b7865bb6629cb5b25c53c5ff6a0c0cdf4ffdc7f7961582c2
a2a67ec1404b2fe5decf5ea86de316f8a2ca775480deab3eed28b8b0b2c34ab5
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81
dca8a2e66bfa8f85d89ca6885a68482a5e85028794a71a385819ae9d832adae4
196716eef9fca584f75ec1100956fc2d34edbe1f3e896003e2c19df32be6196a
0264425d27b1b4442f6a6d25c4634b9dca471f56bffb03bd450ec5c0bd93e7c2
b920dc19a2317f619a9d7af0935eb05b07442d2ae77f1482bd883a086a9c0513
f54d45ee37b7f40b3ae34ac11476c6d25f2a780cdc02472a3f247b7c9af9e143
27abe6f4dc371d7e7008dc5c4b079d85f6e2c5b583b2fd831674186e92d583fd
59f55834d9aec7059e957c376af57f71a8028d057b194a5567d1d95b4d7d4f6e
4a215059825f792fcb384de29a3301f3bb8422e5fa56a20e253b94ce754d6908
7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
399fe041d19c3c4ce98036ee725529632aff01e9b0811c11104595589a05c7fa
d4f5c92d2602f114b7269eee1157c290d2f70efca5093f2b5d67cd526eb5f8e8
7b4ca5b780438bef6eca1d5241c5a5f9afbed7e9eacc62300c5ac64fe9e1030a
0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
5fe667b5af59c9e890f8af1049d74528ee5297c7c85036661b0cce4877ab31e5
06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
fc0b9e5219835acdeb8e214b62f7a77e5e55e301ae0ee78ab5e675db4a85a33b
127d87a19b7a864d8ae9b35d6d8bc81a045eb2bd43fde28d5e61d97a9f1474a6
02181904ce4b61dd19e156cc2526c36cfae46f71989c15bb3c702bd4a71adbf7
a94803828cc2bd2c4260988832d8f297b4e3eeb96f2e0a86162cc92e619159c3
48792c7901988e612893594b411a6fcb59bbff7120d63b56cbb6f9398289b057
45223efdb6920807e0a7e2e28f6b917a4a135066322df39d0af69b1a5901b49d
420e1fbd47a217f18c2729e90df4b85ac06eae21086f3af90aa38642330d5f2e
2117a22f49cc2ec80da587c770f589b16a9cbcae1a02f4758d7319535a2304d6
83b93149729486bc665fd9529751f10a0f8a46e38f06476513b2a4641e4dad33
4d7516db2c2d3fd58db5c64828949adabb51fdd418d4fc8463f4dfb63b481745
796ce4b47053840598f355fad26bd775c850a485110426656eb90607a9018b12
03445008471daab6eb3158ba4c315a89941c69e6f1714394035fcdd18472b00b
291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
b443722fd7616de2c14017ab001952c4c3bde2abd880d6dd9c5910b630d2a8a3
52e8478bb2c7ee6ccbf05f9154ac4b7619b4d986aec5e41bbd8fa752f37040a2
f3849196b9947151a7c448c51009aca0ed466ed5f21cbe9da91f8e102f8cabb9
5b4b87990e0594222c90e5328acbcc64216d96bdcac3f8b0c1aeabe904c271ca
6212a4504cbcd03e7a716176a2ad61f5babd186ca43e253a6a9362b03f027881
128bb9210cdffc2ff7cc0b5514d9feaf5ad831b575ec9c90c602f29349ee5bbb
bbd51ae9353f96a2b4c1e8b8b69b60c3d0eada919b117f0de1116d9df19424f0
2cb584856d1f4a98264a9a41327b46823442fdf89e5b07efb9e4424549bcf7f1
eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652
4b16f3423431cfa440d320d6ff2dd591bfbcef6d13a31408db9af233ad8509cd
4ee3ad4e4e7e262f5dd917322ab8a04f8d0afcfc05b3093230bd9ff7cca1a56d
5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
87ca3126a867be0597b75c338dd0324a5d4625fb54d34efc6082161b3dc2e744
15c0f6587e713de3cc2a87d01f4ef228ed6998b16ba6249b2238084f8a03ec32
404a9091fe42a3f8abae045fbb2a26e111a00d1af5103725e6199e2d5b8a5cb1
e5c60f1bd2f095b0d7add0b28abfb90ec9f4b89f3b1acf0844d7296241633f0f
40baa97b2e3c456d1597454d2e85715f5205033ad6998938ec3486695f5e1648
8cfb19c6297c02e5b02721980466f0a0af273767dea2de89a4d5b397782a8dc3
bdf853881bf56cac5d25fb6c2d1b0ff02fab450d57a66d39d4770c2117e7b9ae
1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274
bab174472415c490df238b18e14a22162daff026bbe828d2375f0107be662c4f
df66645cb25a87f72bdac4ee457e8b22aff036c2c6c2d3f1073088a96ecc1058
ba160a62755295ba6e21d3d4b0188ed8913497271b9af9891709a2d2840ad1e5
1d05c32d38227623d5fdd3a1d13a82e5a55b015573955de7fb3a4e6ada564031
5d53d190c150a8f0efb04cdfd9f607d0cd30452eb1c9e5b59a97d137dd47ecb5
fb7e616458509e23902258b7679d2c3959cee8ebf03f77d0a443828394f2057f
dffbd774b50dd2319bff54a998b59872b1a5a2b7dcab844e7e0e6d00bd428af3
d13a59eb615e8939ec8c815a6fae8c48ca14ee11aaddc1852701461f4a69d6f9
60f044a9155db76cb1da5d910e976654e4998828647e6ec0ff8e6b09776e94ac
00e0fcfaa4beae4ea437bead66cdbeebfcb4f4cf203901847d515c2579e8ec35
8822e22d3710e18e50c34361ecc837557f5fe22c5cdf24cfea2575e77309c36b

SH256 hash:

e56e39078267b8746f80075748a69ced103c11869d502a86e58650c4743aaa14

MD5 hash:

49b01229f9e0883880917f7fbbe380ce

SHA1 hash:

70c65b5704742b9e8cf7953ab8b6dc6b5ef01bfc

Link:

https://www.unpac.me/results/e4bf04aa-f1c3-4bf4-b80c-6c32ae90c0de/

SH256 hash:

efefd03984e131c6ab6f3a7ec6e47a0176f4bbc9ba59955c1fb81c0fb9735dc8

MD5 hash:

a67b478beb2166013bf4ae4de6527f6f

SHA1 hash:

078ee9c300302b49f64d33b47f2cbc38575ea69c

Link:

https://www.unpac.me/results/e4bf04aa-f1c3-4bf4-b80c-6c32ae90c0de/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ee19ca2ed68/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_Imphash_Mar23_2 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_7526f106 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_cbe3313a Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mofksys

exe 1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/22276/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaCopyBytes MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaExitProc MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample