MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Mofksys


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
SHA3-384 hash: c0fa27e4a35257d16b2af13e7227af7c30151ad3f7457d8f717cc8ec22e6ff0fc77529b4ff483d8b84d8a1973c1be319
SHA1 hash: 3835aed8c803ea0cc026fcf19409497607396cd1
MD5 hash: b4f0369f518fbe580102fb0a64c80642
humanhash: steak-pennsylvania-fillet-hotel
File name:svchost.exe
Download: download sample
Signature Worm.Mofksys
Create hunting rule
File size:197'319 bytes
First seen:2025-11-23 10:01:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 3072:evEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u90:evEN2U+T6i5LirrllHy4HUcMQY6p
Threatray 186 similar samples on MalwareBazaar
TLSH T13114F92BFA00702ED8A385F05466A2A7BA252D361BD19C0F67D1AF4A34B1613F5F531F
TrID 58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec Worm.Mofksys


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 889d87031d12f9675ec59b08bda719e74cd5c0f3fe8731060df8ee645e21f4e3
File size (compressed) :77'511 bytes
File size (de-compressed) :197'319 bytes
Format:win32/pe
Packed file: 889d87031d12f9675ec59b08bda719e74cd5c0f3fe8731060df8ee645e21f4e3

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
No threats detected
Analysis date:
2025-11-23 23:54:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9717c49a-16b5-435c-a945-74d43bcd0f11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41063/
Detection(s):
Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Sending a custom TCP request
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin overlay visual_basic
Link:
https://www.filescan.io/uploads/6922e4e7eecb08e4aa45aa72/reports/4651d035-427e-4b9c-83ef-2d7673e6c628/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
Result
Gathering data
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819477
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819477 Sample: svchost.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 67 zxq.net 2->67 69 vccmd03.googlecode.com 2->69 71 6 other IPs or domains 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 5 other signatures 2->79 11 svchost.exe 1 4 2->11         started        15 explorer.exe 2->15         started        signatures3 process4 file5 59 C:\Windows\System\explorer.exe, PE32 11->59 dropped 105 Drops executables to the windows directory (C:\Windows) and starts them 11->105 107 Drops PE files with benign system names 11->107 109 Installs a global keyboard hook 11->109 17 explorer.exe 3 62 11->17         started        signatures6 process7 dnsIp8 61 vccmd01.zxq.net 51.81.194.202, 443, 49686, 49687 OVHFR United States 17->61 63 googlecode.l.googleusercontent.com 173.194.219.82, 49683, 49691, 49695 GOOGLEUS United States 17->63 65 74.125.138.82, 49684, 49685, 49692 GOOGLEUS United States 17->65 51 C:\Windows\System\spoolsv.exe, PE32 17->51 dropped 53 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 17->53 dropped 81 Antivirus detection for dropped file 17->81 83 System process connects to network (likely due to code injection or exploit) 17->83 85 Creates an undocumented autostart registry key 17->85 87 2 other signatures 17->87 22 spoolsv.exe 3 17->22         started        file9 signatures10 process11 file12 55 C:\Windows\System\svchost.exe, PE32 22->55 dropped 89 Antivirus detection for dropped file 22->89 91 Drops executables to the windows directory (C:\Windows) and starts them 22->91 93 Drops PE files with benign system names 22->93 95 Installs a global keyboard hook 22->95 26 svchost.exe 136 4 22->26         started        signatures13 process14 file15 57 C:\Users\user\AppData\Local\stsys.exe, PE32 26->57 dropped 97 Antivirus detection for dropped file 26->97 99 Detected CryptOne packer 26->99 101 Creates an undocumented autostart registry key 26->101 103 3 other signatures 26->103 30 spoolsv.exe 1 26->30         started        33 at.exe 1 26->33         started        35 at.exe 26->35         started        37 31 other processes 26->37 signatures16 process17 signatures18 111 Installs a global keyboard hook 30->111 39 conhost.exe 33->39         started        41 conhost.exe 35->41         started        43 conhost.exe 37->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        49 28 other processes 37->49 process19
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/b4f0369f518fbe580102fb0a64c80642
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 10:42:42 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbx66h4jb26pa5e6tdvmzluc22zpeaaupr6xy3nnmhzmiz23yjnq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
21454d8d5466c03b94a9eff665ad30dabc538341cdd60b466a3b82fc06abb4fc
Worm.Mofksys
2c34ff6ec34bb71edb9e73f29af4cbfc610da2c99e18b7f3c85535c097b1a87c
Worm.Mofksys
5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
Worm.Mofksys
806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
Worm.Mofksys
9016cee4d0d99fc436d37ff917dc9504b7f407a5ed547baee58f50e74d1a83e5
Worm.Mofksys
b248184edd8902113f4791ab7d08c8acd8544c7aebb23661348a96e738d35170
Worm.Mofksys
b6549952e58bfb46347587744b0d6b0d01ef95ab26de209ae4bb6e8e1121cd49
Worm.Mofksys
c01b4d9246c5173746dc43fae6103017d141b15f0b87e1e879929404fa9bbf7a
Worm.Mofksys
error
Worm.Mofksys
+ 176 additional samples on MalwareBazaar
Result
Malware family:
mofksys
Create hunting rule
Score:
  10/10
Tags:
family:mofksys defense_evasion discovery persistence worm
Link:
https://tria.ge/reports/251123-msy3ksfj91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Detects Mofksys worm
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Mofksys
Mofksys family
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/7770641c-06da-41af-8793-7426dba84442
Unpacked files
SH256 hash:
806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
MD5 hash:
b4f0369f518fbe580102fb0a64c80642
SHA1 hash:
3835aed8c803ea0cc026fcf19409497607396cd1
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/01ae8375-16cd-43c5-93eb-14e917ea0f7f/
SH256 hash:
b10e2bdfecb14b0beb0ce1b0fd37c755c9bd8e3cb50677d131d1342b66526981
MD5 hash:
dbdf9f3d2a0dc906129780447b63317a
SHA1 hash:
3d85647928c67d58fb6541c85d3d5f8128129cdd
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/01ae8375-16cd-43c5-93eb-14e917ea0f7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security
Rule name:win_mofksys_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.mofksys.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Worm.Mofksys

Executable exe 889d87031d12f9675ec59b08bda719e74cd5c0f3fe8731060df8ee645e21f4e3

Worm.Mofksys

Executable exe 806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b

(this sample)

  
Dropped by
SHA256 889d87031d12f9675ec59b08bda719e74cd5c0f3fe8731060df8ee645e21f4e3
  
Dropped by
MD5 f07b943297a5dded43cbf0e66e9f40c1
Cape
Cape
https://www.capesandbox.com/analysis/41063/

Comments