MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff
SHA3-384 hash: 380d524afd80b1292792d859c55ce1059cab0ada2ccd6c75d04d863121245164966fb5b1bfa0e7bc4f34ea246eca5c8f
SHA1 hash: 8eaf81f223272c9642c595cf0ea6220d25d3a9c7
MD5 hash: 7085802af0772c029bc4a75d81c014a1
humanhash: michigan-william-stream-harry
File name:svchost.exe
Download: download sample
File size:20'992 bytes
First seen:2025-11-23 09:31:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58e185299ecca757fe68ba83a6495fde (1 x Expiro)
ssdeep 384:V87VJK24kwWlJ5rRqhaLXB8tJC+JahFUOLg2JfKaW9C5bW9odW:OiWlr1aKu2mahFbfKaw
TLSH T189922A1185E559B1E0E21A3039BB7332DE76FD125828E6C77218CB2F1931A03FE3971A
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Hexastrike
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40938/
Gathering data
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6922e5b7eecb08e4aa45ab73/reports/14bb9c09-e7ec-4d02-8dbf-e1f217e6a5db/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff
Result
Gathering data
Score:
2%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7085802af0772c029bc4a75d81c014a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-23 08:11:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43n4knwj77o2zyzexsfajhfehbahnqyltgn3dgge3xckeigqfl7q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251123-mqhb2stqdv/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff
MD5 hash:
7085802af0772c029bc4a75d81c014a1
SHA1 hash:
8eaf81f223272c9642c595cf0ea6220d25d3a9c7
Link:
https://www.unpac.me/results/8b7bf21d-7c2a-4999-aecb-2d5c75202de3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6dbc536c9ffddace324bc8a049ca4384076c30b999bb198c4ddc4a220d02aff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40938/

Comments