MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SVCStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a
SHA3-384 hash:	36f46d99928ab3f34a244a8fa0172c45821cef2aa0aea69ed099fd9955e7ef926a03d68c80c9a20103e9f9562c7c041e
SHA1 hash:	263ea0aaa71153005d46e5275c61c8dc459fd478
MD5 hash:	da731ec259884b1d1712dee24f8839ad
humanhash:	montana-sodium-butter-fruit
File name:	file
Download:	download sample
Signature	SVCStealer Create hunting rule
File size:	1'230'848 bytes
First seen:	2025-11-12 20:04:58 UTC
Last seen:	2025-11-13 18:04:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1a1975a7c9c848c426cfed519cf3ffc1 (2 x SVCStealer)
ssdeep	24576:uFSxrhTsVU5gjyFruu4fEDd8wn5SLU+Zrv6Us9WlStsiZ:uF6rMggjk+EDuwnib634fiZ
Threatray	19 similar samples on MalwareBazaar
TLSH	T1C1457D46B2B501F8D1ABC2788A46960BD7B274461334A7DF56D0875B2F33FE16A3E324
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	b80777 dropped-by-amadey exe SVCStealer

Bitsight

url: http://158.94.208.102/xuib.exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-11-12 18:41:13 UTC

Tags:

stealer arch-doc svcstealer auto-reg loader

Link:

https://app.any.run/tasks/a25e612f-e811-4424-9427-86cfc461b760

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/37749/

Detection(s):

Win.Malware.Phil-10045361-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6914e88f28ddbbca4d8d780a

Tags:

ransomware emotet virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a file in the %AppData% directory

Running batch commands

Creating a process with a hidden window

Launching a process

Connection attempt to an infection source

Sending a TCP request to an infection source

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cmd evasive fingerprint hacktool lolbin microsoft_visual_cc

Link:

https://www.filescan.io/uploads/6914e88c52f9a0cdbd1563ab/reports/5d807d41-27c3-4693-ba82-cfdd9f484c8a/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-12T16:25:00Z UTC

Last seen:

2025-11-14T18:11:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan-Banker.Win32.ClipBanker.sb Trojan.Gatak.TCP.C&C HEUR:Trojan-Banker.Win32.ClipBanker.gen Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Pycoon.sb Trojan-Dropper.Win32.Dorifel.sbd Trojan.Win32.Vimditator.sb Trojan.Win32.Tremp.sb Trojan.Win32.Gatak.gkt HEUR:HackTool.Win32.Inject.heur Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Dapato Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb MEM:Trojan.Win32.Cometer.gen Trojan-PSW.Win32.Stealer.sb VHO:Trojan-PSW.Win32.Stealer.gen VHO:Backdoor.Win32.Androm.gen

Link:

https://opentip.kaspersky.com/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a/results?tab=lookup

Malware family:

SvcStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/183939c4-9d9d-48ba-abeb-77c7b369aa15

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/da731ec259884b1d1712dee24f8839ad

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a/

Verdict:

Malicious

Threat:

Family.SVCSTEALER

Link:

https://tip.neiki.dev/file/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-11-12 18:41:14 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=czox6s6bc6rjslhzci4am3kxb3dong2dexw4xzuqc5aupexq7bfa._file

Verdict:

malicious

Label(s):

svcstealer

SVCStealer

165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

SVCStealer

4254de273cf58a956855203549ce4c6ffa2e0eba107d4a11e884f4ea064821d5

SVCStealer

6fac8becbf95d221ccc9c68c846c3b847e89dcf131a1ef11efbd646583f59f4c

SVCStealer

b1e889002d9174c58dd9d8b20758516a3ff6e636ff14e00793da3ff9a09a7e9e

SVCStealer

error

SVCStealer

+ 9 additional samples on MalwareBazaar

Verdict:

Malicious

Tags:

Win.Malware.Phil-10045361-0

YARA:

n/a

Link:

https://app.threat.zone/submission/b0500866-75e3-49a7-8409-b29a61b88c47

Unpacked files

SH256 hash:

165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

MD5 hash:

da731ec259884b1d1712dee24f8839ad

SHA1 hash:

263ea0aaa71153005d46e5275c61c8dc459fd478

Link:

https://www.unpac.me/results/3ea86b6b-565f-48cd-8d30-54b6bf9b33ae/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/165d7f4bc117/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/165d7f4bc117a2992cf91238066d570ec6e69b4325edcbe69017414792f0f84a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools