MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09
SHA3-384 hash:	51fec906feefe88f059abe21cc5947de7d63d79b306da3e47f45df583014d5adc26f8406cb470d1d25641e5ad96f24b4
SHA1 hash:	2fd0f6c167343d2b8b6a308293be41b0ba31db93
MD5 hash:	08c44c70e30dbcb144290a73689709de
humanhash:	charlie-blue-william-quebec
File name:	svchost.exe
Download:	download sample
File size:	1'149'348 bytes
First seen:	2025-11-23 09:52:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dffaeb4de0f0899dcc332737abce907 (1 x Simda)
ssdeep	24576:q6Zv27hBVnFys7wuVWVT0PAW0duYHM0/JTk6/DHSKgApGaF5+mW0o:qE27hQs7tWVToP0Hs0/htDH3pGaF5+1
TLSH	T17235230B33C15671CE4A533206871AA15E73A7BD0770983A77E8614B0DF2954BFB8AE6
TrID	30.2% (.EXE) Win64 Executable (generic) (10522/11/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4504/4/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 62d630c71e629942181046983fc202dda58d0182c45e69b0098275160e885ca6

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	1'098'148 bytes
File size (de-compressed) :	1'149'348 bytes
Format:	win32/pe
Packed file:	62d630c71e629942181046983fc202dda58d0182c45e69b0098275160e885ca6

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Suspicious activity

Analysis date:

2025-11-23 23:47:29 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/df337f4d-d1d6-4ca2-b8b2-50122eb2058e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41053/

Detection(s):

Win.Trojan.Ulise-10005646-0

Win.Trojan.Agent-1364139

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the Windows subdirectories

Creating a file in the Windows directory

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Launching a process

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun with the shell\open\command registry branches

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context evasive fingerprint overlay overlay packed

Link:

https://www.filescan.io/uploads/6922e463eecb08e4aa45a9fc/reports/0a0e193a-d2bf-41fb-adb9-893a73bee0d7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09

Result

Gathering data

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1819497

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/08c44c70e30dbcb144290a73689709de

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09/

Threat name:

Win32.Trojan.Malex

Status:

Malicious

First seen:

2025-11-23 10:40:59 UTC

File Type:

PE (Exe)

AV detection:

33 of 36 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzvxhayef6cs5uw56g2tp2chzo24avtojdhonwfcderk2ydutqeq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/251123-msyf2strbx/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Executes dropped EXE

Modifies system executable filetype association

Boot or Logon Autostart Execution: Active Setup

Verdict:

Malicious

Tags:

Win.Trojan.Ulise-10005646-0

YARA:

n/a

Link:

https://app.threat.zone/submission/10adc958-c9d6-4880-b8bd-676ede79a060

Unpacked files

SH256 hash:

3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09

MD5 hash:

08c44c70e30dbcb144290a73689709de

SHA1 hash:

2fd0f6c167343d2b8b6a308293be41b0ba31db93

Link:

https://www.unpac.me/results/76fb1b25-ff2d-41f8-b6e4-74eef37ad8c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09

File information

The table below shows additional information about this malware sample such as delivery method and external references.

exe 62d630c71e629942181046983fc202dda58d0182c45e69b0098275160e885ca6

exe 3e6b7383042f852ed2ddf1b537e847cbb5c0566e48cee6d8a21922ad60749c09

(this sample)

Dropped by

SHA256 62d630c71e629942181046983fc202dda58d0182c45e69b0098275160e885ca6

Dropped by

MD5 9e884b8caa175d1dd593b987ee1190c0

Cape

https://www.capesandbox.com/analysis/41053/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample