MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mofksys


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0
SHA3-384 hash: 922e312f585fe4eec47ca8c450a7ed1268ff6cc5798089b392dca383ea7888de4c83f15e85af54483ac586776424e8eb
SHA1 hash: 6cb8aeaa2cec712497f4647a5aa617ee3af02513
MD5 hash: d74f099f053da189a023ced439381ee9
humanhash: hawaii-salami-arkansas-cola
File name:file
Download: download sample
Signature Mofksys
Create hunting rule
File size:6'152'711 bytes
First seen:2025-08-19 14:28:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVX4:UVqoCl/YgjxEufVU0TbTyDDalR4
TLSH T13756E8237E50642EE85285F12CA9FA6DF5615E371BE0AD0722A2BF01397614372F634F
TrID 42.6% (.EXE) Win32 Executable (generic) (4504/4/1)
19.4% (.ICL) Windows Icons Library (generic) (2059/9)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 00928e8e8686b800 (21 x Mofksys, 9 x CryptOne, 5 x Amadey)
Reporter jstrosch
Tags:exe Mofksys


Avatar
jstrosch
Found at hxxps://anonhax[.]site/uploads/675881827ce42_Roblox%20Evon%20Exploit%20V4%20UWP_61991286.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-08-19 14:47:00 UTC
Tags:
auto-reg jeefo
Link:
https://app.any.run/tasks/69482444-f570-4a8f-8a4b-59971e4a4f29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22195/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a48a148fd55a79c5293c91
Tags:
trojware dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packer_detected visual_basic
Link:
https://www.filescan.io/uploads/68a48b5fabfbaec31825caa1/reports/b6269ed5-e17f-430e-b0e0-ee17e844b4fc/overview
Verdict:
Malicious
Labled as:
Gosys.B
Link:
https://www.hybrid-analysis.com/sample/e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc41b599-bb64-4fd1-84c6-cab7dd6e6887
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 14:47:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45sy54sx4j4wsejc4jpaihcimblgjphf7cc3vjnkdbrtnxauw6ya._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
error
Mofksys
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250819-rwqyladm8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
trojan Win.Trojan.VBGeneric-6735875-0
YARA:
Windows_Generic_Threat_7526f106 Windows_Generic_Threat_cbe3313a
Link:
https://app.threat.zone/submission/318be9bc-36dc-4404-8cd9-252724e732be
Unpacked files
SH256 hash:
e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0
MD5 hash:
d74f099f053da189a023ced439381ee9
SHA1 hash:
6cb8aeaa2cec712497f4647a5aa617ee3af02513
Link:
https://www.unpac.me/results/1aee83b5-3220-4f6f-a1f0-ddad90e1bc23/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7658ef257e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_7526f106
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_cbe3313a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mofksys

Executable exe e7658ef257e279691122e25e041c48605664bce5f885baa5aa186336dc14b7b0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22195/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments