MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6
SHA3-384 hash: 84ea436a3f0585706190b202e46d95ab081eb9c5dc4dd95a6b10ec9b056d0fed674c3bc0a699e1081385c9fbf1ab5c9b
SHA1 hash: cdf8d8c8c5a8f687c52964ace87ddcd5086e93ef
MD5 hash: f47e64f96813836829b155d856571517
humanhash: thirteen-echo-orange-pip
File name:svchost.exe
Download: download sample
File size:300'030 bytes
First seen:2025-11-23 09:28:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c0c8ec0bdd07ad3a70b86c3d1ab5031 (4 x Swisyn)
ssdeep 3072:AygCullUQN7gsBh1L1QygCullUQN7gsBh1L1g:ARleK7712RleK7716
Threatray 146 similar samples on MalwareBazaar
TLSH T138545C11FE60551BD327C4F18CBA9229BC21EE7607602E871699FA8669714077FF234F
TrID 55.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
21.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.1% (.EXE) Win64 Executable (generic) (10522/11/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40767/
Detection(s):
Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Malware.Score-6870587-0
Create hunting rule

Win.Trojan.Swisyn-555
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% directory
DNS request
Connection attempt
Sending an HTTP GET request
Setting a single autorun event
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin overlay overlay swisyn visual_basic
Link:
https://www.filescan.io/uploads/6922dec5f96b58f0dc80b6b0/reports/6540355e-c035-4f1b-a4ef-1904ea2b5efb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6
Result
Gathering data
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/f47e64f96813836829b155d856571517
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6/
Threat name:
Win32.Trojan.Msposer
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 08:40:54 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
32 of 36 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wipgds7nc4qafakqpcrppwhc75g3nfhs7vctzpakylblrvkjk7la._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
03c8d5b7d488f876b336921a594d7253c98d9599178d316be09f76f23db1b07e
0d237244a7f008094c4aceb20d24d34549f6e3781451efa79c2bdb0351836777
14daa69f4b31347a29e772e799404be4aa8b880844d2caf9fadd7c0de4ea8734
1c61bc03c520874000179481f5061d331377e406f55278a46c27f1c397507f2f
32e3ec4247ddd8d341983d41e083606af974411bacfaee04dd2d8cdcfa2faf33
4098f8a25a64b8bd44094fb72536eecd5b1e1a01bf15aa02984ee6fbd1137d76
45884ce399da62cf819867e19ee253ba5e2c9ac12e96bf9f2f0fd54d31f6435d
cedcdae8268be2c3aa7dbb6f82a57ea7d3e1dff717307d7f62ba7326f8e3677c
e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0
error
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/251123-mahmwaep7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Malware.Swisyn-9942393-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e26e85c7-8447-4495-8c80-838b1a4008ca
Unpacked files
SH256 hash:
b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6
MD5 hash:
f47e64f96813836829b155d856571517
SHA1 hash:
cdf8d8c8c5a8f687c52964ace87ddcd5086e93ef
Link:
https://www.unpac.me/results/d98eb03e-f6af-4ea4-b418-d84b291ed19c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b21e61cbed172002815078a2f7d8e2ff4db694f2fd453cbc0ac2c2b8d54957d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40767/

Comments