MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Mofksys


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad
SHA3-384 hash: 41db45abda7f689034b7af7d01b438abb2705dc339103bbfd58dd3f69e054077c999467bb68b67e39dade3535bb0f017
SHA1 hash: a54cf724027830064c0607617af502e980af6eb5
MD5 hash: 3b55b1a5437160fafd122c23b955a9f9
humanhash: may-white-lamp-iowa
File name:svchost.exe
Download: download sample
Signature Worm.Mofksys
Create hunting rule
File size:197'340 bytes
First seen:2025-11-23 09:26:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 3072:evEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u9N:evEN2U+T6i5LirrllHy4HUcMQY6W
TLSH T12114E82BFA00702FE9A78AF06826A5A6BA352D311BD1AC4B63D1AF453471513F1F531F
TrID 58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec Worm.Mofksys


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 186bf47ef9da314efe6908e3360df9c48a7f65783aada985aff914ce34146cd7
File size (compressed) :77'532 bytes
File size (de-compressed) :197'340 bytes
Format:win32/pe
Packed file: 186bf47ef9da314efe6908e3360df9c48a7f65783aada985aff914ce34146cd7

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
No threats detected
Analysis date:
2025-11-23 18:44:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cad565db-4abf-4521-adbb-5c3e4706afab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40655/
Detection(s):
Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin overlay visual_basic
Link:
https://www.filescan.io/uploads/6922d57c6c89728b9825e976/reports/7c40893f-ee8e-4b06-8336-b0f70d4ca74c/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad
Result
Gathering data
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819396
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819396 Sample: svchost.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 63 zxq.net 2->63 65 vccmd03.googlecode.com 2->65 67 6 other IPs or domains 2->67 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 5 other signatures 2->83 11 svchost.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 59 C:\Windows\System\explorer.exe, PE32 11->59 dropped 101 Drops executables to the windows directory (C:\Windows) and starts them 11->101 103 Drops PE files with benign system names 11->103 105 Installs a global keyboard hook 11->105 19 explorer.exe 3 71 11->19         started        signatures6 process7 dnsIp8 69 vccmd01.zxq.net 51.81.194.202, 443, 49695, 49696 OVHFR United States 19->69 71 142.250.105.82, 49694, 49702, 49705 GOOGLEUS United States 19->71 73 2 other IPs or domains 19->73 53 C:\Windows\System\spoolsv.exe, PE32 19->53 dropped 55 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 19->55 dropped 85 Antivirus detection for dropped file 19->85 87 System process connects to network (likely due to code injection or exploit) 19->87 89 Creates an undocumented autostart registry key 19->89 91 2 other signatures 19->91 24 spoolsv.exe 3 19->24         started        file9 signatures10 process11 file12 57 C:\Windows\System\svchost.exe, PE32 24->57 dropped 93 Antivirus detection for dropped file 24->93 95 Drops executables to the windows directory (C:\Windows) and starts them 24->95 97 Drops PE files with benign system names 24->97 99 Installs a global keyboard hook 24->99 28 svchost.exe 130 5 24->28         started        signatures13 process14 file15 61 C:\Users\user\AppData\Local\stsys.exe, PE32 28->61 dropped 107 Antivirus detection for dropped file 28->107 109 Detected CryptOne packer 28->109 111 Creates an undocumented autostart registry key 28->111 113 3 other signatures 28->113 32 spoolsv.exe 1 28->32         started        35 at.exe 1 28->35         started        37 at.exe 28->37         started        39 30 other processes 28->39 signatures16 process17 signatures18 75 Installs a global keyboard hook 32->75 41 conhost.exe 35->41         started        43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        51 27 other processes 39->51 process19
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/3b55b1a5437160fafd122c23b955a9f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 09:38:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2j3ljdnerrbq4leey6i7o47katzm5yvw7gwlowhflawqlpgiswq._file
Result
Malware family:
mofksys
Create hunting rule
Score:
  10/10
Tags:
family:mofksys defense_evasion discovery persistence worm
Link:
https://tria.ge/reports/251123-l4rl7sen3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Detects Mofksys worm
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Mofksys
Mofksys family
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/c60e3c41-5b07-4d5e-8f4d-b8be44052e5e
Unpacked files
SH256 hash:
548a26e62c5c06e1a8cfb4f9a586318caf10d1ce749392bd61579b1154c0d6b3
MD5 hash:
635b56bc5143ad4cf6db490d6091b085
SHA1 hash:
399a44dc11dcb85db57cff5809c1f58b0b4df822
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb2c80b6-b69e-47dd-bf7d-cf5bcb276972/
SH256 hash:
3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad
MD5 hash:
3b55b1a5437160fafd122c23b955a9f9
SHA1 hash:
a54cf724027830064c0607617af502e980af6eb5
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb2c80b6-b69e-47dd-bf7d-cf5bcb276972/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security
Rule name:win_mofksys_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.mofksys.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Worm.Mofksys

Executable exe 186bf47ef9da314efe6908e3360df9c48a7f65783aada985aff914ce34146cd7

Worm.Mofksys

Executable exe 3693b5a46d2462187164263c8fbb9f5027967715b7cd65bac72ac1682de644ad

(this sample)

  
Dropped by
SHA256 186bf47ef9da314efe6908e3360df9c48a7f65783aada985aff914ce34146cd7
  
Dropped by
MD5 4995eb8901e41117831ccbf6df7d0e34
Cape
Cape
https://www.capesandbox.com/analysis/40655/

Comments