MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e
SHA3-384 hash: 2dd76971e12ca0b6caefb53f7ea404aa883130012aeea824e9120ffc39191a04145e6da07ca03d54718bf09efecd7eca
SHA1 hash: 50c890d1956601ef9dc2df1e14b75fbc53bbb093
MD5 hash: 367083a752c6e9fdd748955e4fed64e3
humanhash: social-california-fillet-kilo
File name:svchost.exe
Download: download sample
File size:511'211 bytes
First seen:2025-11-23 09:29:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5ada287cb0bdf614b7546b62f89ebb1
ssdeep 6144:PtzTdR5XkNq80PzW+Io1HySsWWoA0gTRrm8dEaJq0OMBVgWwAidpNCgrBF:lzTJbAodco3gTksJqmVgWwAkAQ
Threatray 13 similar samples on MalwareBazaar
TLSH T129B47D26F7D08433D2631A78DC978664EC26BE503E2965863BF92E0C5F3D38179263D6
TrID 85.5% (.EXE) ASPack compressed Win32 Executable (generic) (133819/79/30)
6.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.8% (.EXE) Win32 Executable (generic) (4504/4/1)
1.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
17
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40788/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a service
Creating a file in the Windows subdirectories
Launching a process
Creating a process with a hidden window
Loading a suspicious library
Creating a process from a recently created file
Searching for the window
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug aspack base64 borland_delphi evasive fingerprint keylogger lolbin overlay overlay packed packed packed regedit regsvr32
Link:
https://www.filescan.io/uploads/6922df245d3feebe12d8145a/reports/7a00ce31-cee3-4e7b-888d-aced81a52376/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/367083a752c6e9fdd748955e4fed64e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e/
Threat name:
Win32.Infostealer.QQPass
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 08:37:22 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
32 of 36 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w767dq6apofyjav6mbt4xqe4wiaxnqpmlar43kfdqqmotvkujbxa._file
Verdict:
malicious
Label(s):
unc_loader_082
Create hunting rule
Similar samples:
081ac68fd9502edd6aa642115d0fbaa47c58fdfd5123c7a1306a83fed6c074be
4d8febcf12d4e13f59f16516af3576201775f352b69e943223f10fffbe535306
57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7
607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
744d7fc9796a48f7d5b1173b91d1b018f13f91db7798a3d9cfd27fb22d678898
7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e
c9102acb6323c4f24b56ec7e32878b6865ba5b26b816d8febdf4b31eac5506f3
cd6e282159e4117dca53cf28d0c314364a2c739bd0c32173737ffb565e981bc3
error
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 discovery persistence
Link:
https://tria.ge/reports/251123-mbemlsep8v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e
MD5 hash:
367083a752c6e9fdd748955e4fed64e3
SHA1 hash:
50c890d1956601ef9dc2df1e14b75fbc53bbb093
Link:
https://www.unpac.me/results/4cc21e23-2616-4df3-9d6a-ab5dc792df1c/
SH256 hash:
f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
MD5 hash:
876a2a99b81968f5b26e3cbe12063d2b
SHA1 hash:
7afa8f33b691b2651b65eb07220cc2fda4b7537c
Detections:
INDICATOR_EXE_Packed_ASPack
Create hunting rule
Link:
https://www.unpac.me/results/4cc21e23-2616-4df3-9d6a-ab5dc792df1c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7fdf1c3c07b8b8482be6067cbc09cb20176c1ec5823cda8a38418e9d554486e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40788/

Comments