MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Worm.Mofksys

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8
SHA3-384 hash:	610e5d261c0f90f1929d24bfdbbc33d12dbf3833c967b45ffa23b31e5e26e442c691efa295a444827c843effc54746f1
SHA1 hash:	dc41c695ab2cc7e16c25b22aee90cbf42d2c6337
MD5 hash:	6e958e2f67e78dba8542b01e5ca46373
humanhash:	network-fifteen-bakerloo-delta
File name:	svchost.exe
Download:	download sample
Signature	Worm.Mofksys Create hunting rule
File size:	70'966 bytes
First seen:	2025-11-23 09:24:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e029f98a2da83608852f59fa44f95f0e (1 x Worm.Mofksys)
ssdeep	1536:EHNYD2S7Q69jCMBXCrYa99YFPUBHENqYDP:YYKSkijCM6Ya9qJUpENqYDP
TLSH	T15263D099B1AF1A52F9566EFB9F2B903C5DC0DF928E27D3F012A810AD44FA21005DE617
TrID	64.9% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 21.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 3.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.5% (.EXE) Win32 Executable (generic) (4504/4/1) 1.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Worm.Mofksys

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/40506/

Detection(s):

Win.Malware.Swisyn-7610494-0

Win.Virus.Sality-6335700-2

Win.Malware.Swisyn-9942393-0

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922ded1140de26f6c2c93ad

Tags:

injection sharew obfusc

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a process with a hidden window

Setting a keyboard event handler

Setting a global event handler

Creating a file in the %AppData% directory

Sending a custom TCP request

Setting a single autorun event

Launching the process to create tasks for the scheduler

Enabling autorun

Enabling a "Do not show hidden files" option

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed packed upx visual_basic zero

Link:

https://www.filescan.io/uploads/6922d9abeecb08e4aa45a03b/reports/e45ad3c1-ea77-4ade-b045-1accc9daf73b/overview

Verdict:

Malicious

Labled as:

Trojan.Swisyn

Link:

https://www.hybrid-analysis.com/sample/714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8

Result

Gathering data

Score:

81%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/6e958e2f67e78dba8542b01e5ca46373

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8/

Threat name:

Win32.Trojan.Golsys

Status:

Malicious

First seen:

2025-11-22 09:13:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 36 (97.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofcal3v5qxzi3g4fsk5ijaxyrpay66eqfwhm5wuuogjv2vouec4a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery persistence

Link:

https://tria.ge/reports/251123-lw6fdsymdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Adds Run key to start application

Executes dropped EXE

Boot or Logon Autostart Execution: Active Setup

Modifies WinLogon for persistence

Modifies visibility of hidden/system files in Explorer

Verdict:

Malicious

Tags:

Win.Malware.Swisyn-7610494-0

YARA:

n/a

Link:

https://app.threat.zone/submission/51a715f9-8cdc-416e-929f-2bf0d71edd3e

Unpacked files

SH256 hash:

58dc14e1784af63ea500fcbf9ae3c925fd880dd1d4158ac602d8ada05e15294a

MD5 hash:

603b0785953aa1996830b6fa014de34e

SHA1 hash:

5931a04501cff60cf9ac9a0fcb7a98db6bdccf66

Detections:

win_mofksys_auto

Link:

https://www.unpac.me/results/a3f041f9-7821-4d88-80ff-ddc0781d77d7/

SH256 hash:

714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8

MD5 hash:

6e958e2f67e78dba8542b01e5ca46373

SHA1 hash:

dc41c695ab2cc7e16c25b22aee90cbf42d2c6337

Link:

https://www.unpac.me/results/a3f041f9-7821-4d88-80ff-ddc0781d77d7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/714405eebd85f28d9b8592ba8482f88bc18f78902d8eceda9471935d55d420b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40506/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample