MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30
SHA3-384 hash: 992edd96f916360e0dbf030357a31aa5f884f518e45345485befd960b028c393f6f7071803977430fe249d165126a682
SHA1 hash: 8bb62ec6f91dca433c2259de3b197abb2d40cf1d
MD5 hash: 0167eef1bea0d25ff44f16ee7dc8b86c
humanhash: spaghetti-sodium-yankee-mississippi
File name:svchost.exe
Download: download sample
File size:3'301'910 bytes
First seen:2025-11-23 09:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d349bb1fedb23758a6e397e5d691576 (8 x Bancteian, 7 x AZORult, 1 x AgentTesla)
ssdeep 49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97b:+tR4xGnCtvwf
TLSH T1A1E55B17B284283FC06B173A4837A754997FBE2166269C0F17F478CC8E7A5817D3A64B
TrID 64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.9% (.EXE) Win32 Executable (generic) (4504/4/1)
3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
8
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40590/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the Windows directory
Creating a file
Creating a file in the %temp% directory
Moving a file to the Windows directory
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Blocking the User Account Control
Enabling a "Do not show hidden files" option
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint installer-heuristic keylogger overlay packed similar-threat
Link:
https://www.filescan.io/uploads/6922db31eecb08e4aa45a1c6/reports/d8d8f16a-10e9-45af-876b-207a26fdd3a3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30
Result
Gathering data
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0167eef1bea0d25ff44f16ee7dc8b86c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30/
Threat name:
Win32.Trojan.Bancteian
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 08:11:43 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcuvzelw2syc4bgwfhxg4hkd5ckgxv4oectg5mx75yx2srydnyya._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/251123-l1q69symhp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks whether UAC is enabled
Executes dropped EXE
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
UAC bypass
Verdict:
Malicious
Tags:
Win.Trojan.Bancteian-0-6418983-0
YARA:
n/a
Link:
https://app.threat.zone/submission/cb6174b2-bcc6-4294-89b2-77c5b63047c7
Unpacked files
SH256 hash:
88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30
MD5 hash:
0167eef1bea0d25ff44f16ee7dc8b86c
SHA1 hash:
8bb62ec6f91dca433c2259de3b197abb2d40cf1d
Link:
https://www.unpac.me/results/b5cc3e17-ce32-4ef0-acd5-8dcca27aa1ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88a95c9176d4b02e04d629ee6e1d43e8946bd78e20a66eb2ffee2fa947036e30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40590/

Comments