MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mofksys


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33
SHA3-384 hash: 1bd5421ecd1ad244b0a468bef600f34de45295f8a822a082e7d43ee67f148c4775a782ece06b216fa461344f3de33a0b
SHA1 hash: dad4f86e05b920386293befa9ec580c595d68557
MD5 hash: f1e3b1d5edd2fcbc639ab09f189716fd
humanhash: video-social-johnny-utah
File name:file
Download: download sample
Signature Mofksys
Create hunting rule
File size:19'464'852 bytes
First seen:2025-08-19 14:44:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 393216:Q19zPb6YrfBMYEJB4zKDghFLko2Tk3krZmi+Qh7MA1j+IxNI:KBDzPEJBrgco2wUUtQqwj+IbI
TLSH T1B91733233726AD91E4728771BCAA5505B262EF2F4A619F5FF19B03C1443940EEB7260F
TrID 42.6% (.EXE) Win32 Executable (generic) (4504/4/1)
19.4% (.ICL) Windows Icons Library (generic) (2059/9)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 00928e8e8686b800 (21 x Mofksys, 9 x CryptOne, 5 x Amadey)
Reporter jstrosch
Tags:exe Mofksys


Avatar
jstrosch
Found at hxxps://anonhax[.]site/uploads/678987f3aa742_up%20(3).exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-08-19 15:37:34 UTC
Tags:
jeefo auto-reg
Link:
https://app.any.run/tasks/997f72f0-932b-4a05-b888-3cf452d4290d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22237/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a48e19c2f5296a1a284e75
Tags:
trojware dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packer_detected visual_basic
Link:
https://www.filescan.io/uploads/68a490b0f516093e09c636b7/reports/43183d69-7454-4233-8500-92601a8d89ce/overview
Verdict:
Malicious
Labled as:
Gosys.B
Link:
https://www.hybrid-analysis.com/sample/32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/f1e3b1d5edd2fcbc639ab09f189716fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 14:56:36 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glr6yqsh3xmngqmyhva6ba3anl4xiqi3vt5o4bg5fwgnz6rpv4zq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
error
Mofksys
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250819-sa6mladq4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
trojan Win.Trojan.VBGeneric-6735875-0
YARA:
Windows_Generic_Threat_7526f106 Windows_Generic_Threat_cbe3313a
Link:
https://app.threat.zone/submission/38099993-c1c4-4fb1-9679-a4f020ee9916
Unpacked files
SH256 hash:
45d2f71ee027a4c1ef303deecbe1814a04ab00ad053215f0e3f225bba56944ce
MD5 hash:
1bb1f73ece0c4ab4e0f4c993135aa286
SHA1 hash:
6edb3fbc09afb675b11c1299826cb06c6d4e9085
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
dfee9d12c1a5613ea908ffb926434ec572eeb510936dd541f1cb8e540926864e
MD5 hash:
9656d10271c430797060a7c094af6900
SHA1 hash:
8db1fb2cb4c0816e093b5501a7c737f896c3dcdf
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
957e11e635fa0cf065719a8d3c12aa96b2bf034bcbcf6a2d36bb097491ae8a25
MD5 hash:
b6819c33f14e06adfdd0d42a28f42745
SHA1 hash:
388d0172dd2b400fe58e007846e70c6e9fefe103
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
278729872d48e89689d0832f3e7f7abdf377546669cbe8efd79d3ab2fe2566c3
MD5 hash:
7aaf87f57ff1e96cb362279b53f20d8f
SHA1 hash:
0d66300a8a783697c1aa106fa79977f6c56f8f35
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
a8de8146ecdd10b0012219a4f5d9501397ded67442ca68237d426f8f11d2d539
MD5 hash:
20850ea5ebc4520b0b2bf12a0c6fedf8
SHA1 hash:
23920392f3587d14de7f83f8c14304b0f93b0614
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
fbda4da948c86f4af0606e61b7f17093dffd142af6befb3096ad6ba025a98fe7
MD5 hash:
d789bbd4a9d77c5f251192d239482688
SHA1 hash:
7587b6c5654aa8c48ce3da18be6d0c347ebe9425
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
2a54a226f0a87b7bd0a806743035560af4f811ac474bfbec6a76607d18fcd0e9
MD5 hash:
357ebf26a723bb20bd3133ce1e303249
SHA1 hash:
2d6e2579b968571e45cfa3ab90eb2f0324244bc5
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
SH256 hash:
32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33
MD5 hash:
f1e3b1d5edd2fcbc639ab09f189716fd
SHA1 hash:
dad4f86e05b920386293befa9ec580c595d68557
Link:
https://www.unpac.me/results/ac9c0929-5ba1-453e-a1b0-abf3263d62a0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32e3ec4247dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_7526f106
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_cbe3313a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mofksys

Executable exe 32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22237/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments