MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698
SHA3-384 hash: 89c37a6b4872143e5080a7fe3bf4a4fbece6bb21522d978b4a92a9295e1937ea90b8d9ce6fcbd6e6f748059d57bd83d0
SHA1 hash: e3468b837c10a634897092fac2a4529bbbef8823
MD5 hash: a75bb3c20f2109a3412cef9d814f72c1
humanhash: floor-seven-april-sixteen
File name:svchost.exe
Download: download sample
File size:125'567 bytes
First seen:2025-11-23 09:22:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c0c8ec0bdd07ad3a70b86c3d1ab5031 (4 x Swisyn)
ssdeep 1536:niyzlrXCu2lsuAoeQZZ86ukpj0nGGF9v+4Dvg:iyZCu2lhA1QZZ4kp4F9Xzg
TLSH T156C32803BD24457BD5A48DF098B6EA6DBA649E3A0BF59E4333C4AB952C7810375F120F
TrID 55.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
21.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.1% (.EXE) Win64 Executable (generic) (10522/11/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
12
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40392/
Detection(s):
Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VB-73199
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6922daf5b6ee81118d2c9d10
Tags:
injection trojan obfusc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% directory
DNS request
Connection attempt
Setting a single autorun event
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm explorer lolbin overlay visual_basic
Link:
https://www.filescan.io/uploads/6922d799f96b58f0dc80b24a/reports/238c5689-fbd8-43fa-9635-ac50e91f76da/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698
Result
Gathering data
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/a75bb3c20f2109a3412cef9d814f72c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698/
Threat name:
Win32.Trojan.Msposer
Create hunting rule
Status:
Malicious
First seen:
2025-11-21 22:43:32 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6sxbdw3ghogw4nriknoffjcr5eplh562hzyaop7tgawzuina2ma._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/251123-lq26satjay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Malware.Swisyn-9942393-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1918bb4f-687b-4cf8-9f27-737bccd0e5e1
Unpacked files
SH256 hash:
4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698
MD5 hash:
a75bb3c20f2109a3412cef9d814f72c1
SHA1 hash:
e3468b837c10a634897092fac2a4529bbbef8823
Link:
https://www.unpac.me/results/958aff3f-98f0-4b5e-af01-104f8ca1127d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fa5708edb31dc6b71b1429ae295228f48f59fbed1f38039ff99816cd10d0698

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40392/

Comments