MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a
SHA3-384 hash: 6c25f40335c64d081ee9f34ebc2b7b63d65138515a24003e1acf0049bc484b5416210c7c50b922ade61de21a48e7f1ae
SHA1 hash: 52e1eaf53b2a75ecf037ddbd2857330be046cef6
MD5 hash: a8029c0e43303be8b9a42f753d374489
humanhash: minnesota-harry-fish-early
File name:svchost.exe
Download: download sample
File size:1'098'329 bytes
First seen:2025-11-23 09:44:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dffaeb4de0f0899dcc332737abce907 (1 x Simda)
ssdeep 24576:q6Zv27hBVnFys7wuVWVT0PAW0duYHM0/JTk6/DHSKgApGaFyjtr:qE27hQs7tWVToP0Hs0/htDH3pGaFyZr
TLSH T1FB35230B33C15576CE8A533103472AB11FB3A7BD0770E83AB3E8944719F29447EB969A
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 44bd72b8dcaca1bc1645383723d5e71aa01d6fa5407e4d8dce1d257cc449e908
File size (compressed) :1'047'129 bytes
File size (de-compressed) :1'098'329 bytes
Format:win32/pe
Packed file: 44bd72b8dcaca1bc1645383723d5e71aa01d6fa5407e4d8dce1d257cc449e908

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41033/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context evasive fingerprint overlay overlay packed
Link:
https://www.filescan.io/uploads/6922e449eecb08e4aa45a9eb/reports/cb7b0447-e8af-486f-8b24-6ab079a49a97/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a
Result
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1819376
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a8029c0e43303be8b9a42f753d374489
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a/
Threat name:
Win32.Trojan.Malex
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 10:39:31 UTC
File Type:
PE (Exe)
AV detection:
33 of 36 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2ra4wpuw5fed3wo57pvuvuhyfwwt5h3is5wlvzndvsmf756pona._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251123-mrvc1atraw/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies system executable filetype association
Boot or Logon Autostart Execution: Active Setup
Verdict:
Malicious
Tags:
Win.Trojan.Ulise-10005646-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e08b5425-604f-4c6c-b11c-f561df9764ae
Unpacked files
SH256 hash:
36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a
MD5 hash:
a8029c0e43303be8b9a42f753d374489
SHA1 hash:
52e1eaf53b2a75ecf037ddbd2857330be046cef6
Link:
https://www.unpac.me/results/c0fce234-d264-437d-a4bd-ef106d3e138c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 44bd72b8dcaca1bc1645383723d5e71aa01d6fa5407e4d8dce1d257cc449e908

Executable exe 36a20e59f4b74a41eeceefdf5a5687c16d69f4fb44bb65d72d1d64c2ffbe7b9a

(this sample)

  
Dropped by
SHA256 44bd72b8dcaca1bc1645383723d5e71aa01d6fa5407e4d8dce1d257cc449e908
  
Dropped by
MD5 a259effaf417f2d75e9e309d1a04c0c6
Cape
Cape
https://www.capesandbox.com/analysis/41033/

Comments