MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Mofksys


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2
SHA3-384 hash: 44753d4811d693ba1641701dfb733ee2b1489ee2d19d376f9a556292f57041d63b4f33e16eef60ad059dd5a1ca6b920d
SHA1 hash: 288a4c5ce11986d4d68610803989d2bf9b7a0e3e
MD5 hash: b424b582841e383e8d31938f5af48d5f
humanhash: lima-nebraska-pasta-mountain
File name:FG0765456780098767.exe
Download: download sample
Signature Worm.Mofksys
Create hunting rule
File size:1'759'668 bytes
First seen:2025-07-30 08:56:40 UTC
Last seen:2025-07-30 09:07:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 49152:dYx3u6Y3qFXTPAxUaiZikZM/P7WrVcKuZOIqBAVvHgRX36C:ynY3qFrAxUaiZikZM/P7WrVcKuZOIqBB
TLSH T1B185333D5AB9213BD0A9C3749BC4992FF81099373115BD2AEBD20B691325AC375E123F
TrID 58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 83c4c4c4c4804481 (2 x Worm.Mofksys)
Reporter lowmal3
Tags:exe Worm.Mofksys

Intelligence

File Origin
# of uploads :
2
# of downloads :
35
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FG0765456780098767.exe
Verdict:
No threats detected
Analysis date:
2025-07-30 08:59:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13b150be-8fdb-4bb9-9c8f-eee601cc8c5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17723/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6889de740b4775fb21337ea8
Tags:
injection trojware emotet sharew
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3f5917c-db75-4a87-824a-d9404c24fc4a
Result
Threat name:
CryptOne, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746952
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1746952 Sample: FG0765456780098767.exe Startdate: 30/07/2025 Architecture: WINDOWS Score: 100 79 reallyfreegeoip.org 2->79 81 mail.vipekspertiz.net 2->81 83 10 other IPs or domains 2->83 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for dropped file 2->103 107 11 other signatures 2->107 12 FG0765456780098767.exe 1 4 2->12         started        16 explorer.exe 2->16         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        signatures3 105 Tries to detect the country of the analysis system (by using the IP) 79->105 process4 dnsIp5 71 C:\Users\user\...\fg0765456780098767.exe, PE32 12->71 dropped 73 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->73 dropped 141 Installs a global keyboard hook 12->141 23 icsys.icn.exe 4 12->23         started        27 fg0765456780098767.exe 1 12->27         started        85 127.0.0.1 unknown unknown 20->85 file6 signatures7 process8 file9 67 C:\Windows\System\explorer.exe, PE32 23->67 dropped 117 Antivirus detection for dropped file 23->117 119 Drops executables to the windows directory (C:\Windows) and starts them 23->119 121 Drops PE files with benign system names 23->121 123 Installs a global keyboard hook 23->123 29 explorer.exe 1 121 23->29         started        125 Writes to foreign memory regions 27->125 127 Allocates memory in foreign processes 27->127 129 Injects a PE file into a foreign processes 27->129 34 CasPol.exe 27->34         started        signatures10 process11 dnsIp12 87 vccmd01.t35.com 29->87 89 vccmd01.zxq.net 51.81.194.202, 443, 49694, 49697 OVHFR United States 29->89 97 3 other IPs or domains 29->97 75 C:\Windows\System\spoolsv.exe, PE32 29->75 dropped 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 29->77 dropped 143 Antivirus detection for dropped file 29->143 145 System process connects to network (likely due to code injection or exploit) 29->145 147 Creates an undocumented autostart registry key 29->147 153 2 other signatures 29->153 36 spoolsv.exe 3 29->36         started        91 mail.vipekspertiz.net 213.142.131.219, 49711, 587 ADEOXTECHUS Turkey 34->91 93 checkip.dyndns.com 193.122.130.0, 49686, 49688, 49690 ORACLE-BMC-31898US United States 34->93 95 reallyfreegeoip.org 104.21.64.1, 443, 49687, 49689 CLOUDFLARENETUS United States 34->95 149 Tries to steal Mail credentials (via file / registry access) 34->149 151 Tries to harvest and steal browser information (history, passwords, etc) 34->151 file13 signatures14 process15 file16 65 C:\Windows\System\svchost.exe, PE32 36->65 dropped 109 Antivirus detection for dropped file 36->109 111 Drops executables to the windows directory (C:\Windows) and starts them 36->111 113 Drops PE files with benign system names 36->113 115 Installs a global keyboard hook 36->115 40 svchost.exe 245 4 36->40         started        signatures17 process18 file19 69 C:\Users\user\AppData\Local\stsys.exe, PE32 40->69 dropped 131 Antivirus detection for dropped file 40->131 133 Detected CryptOne packer 40->133 135 Creates an undocumented autostart registry key 40->135 137 3 other signatures 40->137 44 spoolsv.exe 40->44         started        47 at.exe 40->47         started        49 at.exe 40->49         started        51 26 other processes 40->51 signatures20 process21 signatures22 139 Installs a global keyboard hook 44->139 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 23 other processes 51->63 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2/
Verdict:
Malicious
Threat:
VHO:Trojan.Win32.InjectorNetT
Link:
https://tip.neiki.dev/file/d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-07-30 08:57:21 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2leotsk32beibbvhc26znfwo2nyymjehtbco5s5md3ljuap3gkra._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
error
Worm.Mofksys
Result
Malware family:
mofksys
Create hunting rule
Score:
  10/10
Tags:
family:mofksys defense_evasion discovery persistence worm
Link:
https://tria.ge/reports/250730-kwrrkaysez/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Detects Mofksys worm
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Mofksys
Mofksys family
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/9c494075-474d-4c33-9ea8-ac2b05de3fd1
Unpacked files
SH256 hash:
d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2
MD5 hash:
b424b582841e383e8d31938f5af48d5f
SHA1 hash:
288a4c5ce11986d4d68610803989d2bf9b7a0e3e
Link:
https://www.unpac.me/results/63db566b-2f91-4171-8a90-d26ec8308713/
SH256 hash:
e71c66c1d1da442b90125c61f6cb1b9167e196e05db0b5eaf56ff5aaf1d43b84
MD5 hash:
d10c66e1d5408019baa47783a027dd09
SHA1 hash:
eef4dc7de659b9aa8bf274339512346e4c22b53a
Link:
https://www.unpac.me/results/63db566b-2f91-4171-8a90-d26ec8308713/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Mofksys

Executable exe d2c8e9c95bd0488086a716bd9696ced3718624879844eecbac1ed69a01fb32a2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17723/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments