MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a
SHA3-384 hash: c4f92dbbd19a799f37ed986eefaa098f187f6dc892d8d1bbac2f5cfb1309aecd5d6645541ba12502be38a9bb0597aa32
SHA1 hash: e5fbb18d03e57ba9e15992f5b767d40cfeb49fe8
MD5 hash: 9a3dcd7d34aa747e9fec232153d77b7b
humanhash: ceiling-sixteen-beryllium-romeo
File name:svchost.exe
Download: download sample
File size:1'650'050 bytes
First seen:2025-11-23 09:24:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37c6c0cc4d20c311c793c6b743da8942 (2 x Kimsuky, 1 x CryptOne)
ssdeep 24576:l9cdOqX1uugliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlMP:l9UX1eBx4mYo83vOSeyeaKrR
TLSH T15375BF6E7FC06335D222983A64422B7074E2EE968F08E5753DF8F22A1F72F679451217
TrID 62.6% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
23.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.4% (.EXE) Win32 Executable (generic) (4504/4/1)
1.5% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
9
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40555/
Detection(s):
Win.Malware.Ulise-10034617-0
Create hunting rule

Win.Malware.Ulise-6804648-0
Create hunting rule

Win.Malware.Ulise-6840344-0
Create hunting rule

SecuriteInfo.com.Trojan.Heur.GM.4404010800.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 crypt dllhost enigma installer-heuristic lolbin obfuscated overlay overlay packed packed regsvr32 replace visual_basic xpack zero
Link:
https://www.filescan.io/uploads/6922da92eecb08e4aa45a12d/reports/c10942a9-141e-4d5f-af52-7f98ea7b459c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a
Result
Gathering data
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9a3dcd7d34aa747e9fec232153d77b7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a/
Threat name:
Win32.Infostealer.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 08:19:18 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
33 of 36 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6k6i3hxkx7rwdzfxxcnyvbnh43z6etqz2okkkbko5k6tphqlnfa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/251123-lzc81stkht/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
red_team_tool Win.Malware.Ulise-10034617-0
YARA:
MAL_Unknown_PWDumper_Apr18_3
Link:
https://app.threat.zone/submission/9caebad4-0893-4be2-a01f-c46005ba5b7f
Unpacked files
SH256 hash:
108ffc282f3879096231455ef75304c269f9d526215c73216e869176fce5aabb
MD5 hash:
f249ac230321db40c08c4eb0c3a2f856
SHA1 hash:
cb2a60a4b32ac9db304e6626e27090981bf9d111
Detections:
MAL_Unknown_PWDumper_Apr18_3
Create hunting rule
INDICATOR_EXE_Packed_Loader
Create hunting rule
Link:
https://www.unpac.me/results/39f58f68-50eb-427f-927e-2bcd98e5733e/
Parent samples :
75877fc94137948ff3c8c40069c0c476683eef03a5c823ebe51f00010ca81b26
7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a
SH256 hash:
dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b
MD5 hash:
5f2a0d681844db68511822247258b551
SHA1 hash:
8fc493af235064349122c82d6bdfb010762734c3
Link:
https://www.unpac.me/results/39f58f68-50eb-427f-927e-2bcd98e5733e/
SH256 hash:
2a07e9d82531a6e8707d010d217157303a827d8ecce36f58372401b87849728e
MD5 hash:
6564864bc27d4f1fd140648fbea35a0f
SHA1 hash:
0fbce743661919c46427c59237a2c823155eac31
Link:
https://www.unpac.me/results/39f58f68-50eb-427f-927e-2bcd98e5733e/
SH256 hash:
7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a
MD5 hash:
9a3dcd7d34aa747e9fec232153d77b7b
SHA1 hash:
e5fbb18d03e57ba9e15992f5b767d40cfeb49fe8
Link:
https://www.unpac.me/results/39f58f68-50eb-427f-927e-2bcd98e5733e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f95e46cf755/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f95e46cf755ff1b0f25bdc4dc542d3f379f1270ce9ca5282a7755e9bcf05b4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector11X13XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:INDICATOR_EXE_Packed_Loader
Create hunting rule
Author:ditekSHen
Description:Detects packed executables observed in Molerats
Rule name:MAL_Unknown_PWDumper_Apr18_3
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:MAL_Unknown_PWDumper_Apr18_3_RID312A
Create hunting rule
Author:Florian Roth
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40555/

Comments