MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008
SHA3-384 hash: 2482de2ebb1ac13e79f5a5667029b12bd1375fa51dd12905001ae8f4d90a87745341ce49f4030a099cf773c24e3c027d
SHA1 hash: b800b091e181cad7ae6d2c0f6c55a7a5cd380e8f
MD5 hash: 129ae58509b3f8f57b0459f5010d2f83
humanhash: violet-michigan-quebec-paris
File name:129ae58509b3f8f57b0459f5010d2f83.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:614'912 bytes
First seen:2025-12-14 11:41:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f35919722d8dcde279077a8460e70b83 (8 x SVCStealer, 2 x Stealc, 1 x Amadey)
ssdeep 12288:aSuCb4xIs/h5L99pD0ePZJLmIawaDAeejYd+MMDS1Bu3129rnSbA:az/t55L5TLmIS8Yd+MveQ9rg
TLSH T111D4124363B171F4F1768275C251894A8B76B87A4B609F6F4BE0079E1FA72D04E2EF21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
amadey
Create hunting rule
ID:
1
File name:
BLToolsv2.9.1PRO.exe
Verdict:
Malicious activity
Analysis date:
2025-12-08 01:16:23 UTC
Tags:
stealc stealer auto-sch amadey botnet auto-reg clipper diamotrix python anti-evasion loader arch-doc svcstealer rdp crypto-regex
Link:
https://app.any.run/tasks/8d33299c-cbca-4331-9fca-9996af15acda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44609/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693ea295039c1dfc73392314
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm clipper microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/693ea292cf690d27f3df19aa/reports/aaf943d9-29e2-47e5-a185-82ac6eb522b4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-06T17:57:00Z UTC
Last seen:
2025-12-15T00:39:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8265f655-0691-4cc6-a6e6-9cdf6e0f8192
Result
Threat name:
Amadey, Clipboard Hijacker, Stealc v2, S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832404
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to send encrypted data to the internet
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832404 Sample: Os4d0HBpJz.exe Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 99 www.google.com 2->99 133 Suricata IDS alerts for network traffic 2->133 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 17 other signatures 2->139 10 Os4d0HBpJz.exe 2 1 2->10         started        14 588.tmp.exe 2->14         started        16 588.tmp.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 97 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 10->97 dropped 159 Creates autostart registry keys with suspicious names 10->159 161 Creates multiple autostart registry keys 10->161 163 Injects code into the Windows Explorer (explorer.exe) 10->163 20 explorer.exe 55 19 10->20 injected 165 Writes to foreign memory regions 14->165 167 Allocates memory in foreign processes 14->167 169 Creates a thread in another existing process (thread injection) 14->169 25 schtasks.exe 14->25         started        171 Injects a PE file into a foreign processes 16->171 27 schtasks.exe 16->27         started        173 Contains functionality to start a terminal service 18->173 175 Found direct / indirect Syscall (likely to bypass EDR) 18->175 29 schtasks.exe 18->29         started        signatures6 process7 dnsIp8 101 62.60.226.159, 27015, 49704, 49705 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 20->101 89 C:\Users\user\AppData\Local\...\DC5C.tmp.exe, PE32+ 20->89 dropped 91 C:\Users\user\AppData\Local\...\CA0A.tmp.exe, PE32+ 20->91 dropped 93 C:\Users\user\AppData\Local\...\C93D.tmp.exe, PE32+ 20->93 dropped 95 3 other malicious files 20->95 dropped 153 System process connects to network (likely due to code injection or exploit) 20->153 155 Benign windows process drops PE files 20->155 157 Unusual module load detection (module proxying) 20->157 31 44E.tmp.exe 21 20->31         started        36 C93D.tmp.exe 20->36         started        38 DC5C.tmp.exe 2 20->38         started        46 6 other processes 20->46 40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        file9 signatures10 process11 dnsIp12 109 196.251.107.23, 49708, 49818, 49953 ANGANI-ASKE Seychelles 31->109 83 C:\...\groupware_11.80.93.2_INSTALL[1].exe, PE32 31->83 dropped 85 C:\Users\user\AppData\...\004UHlgjHnQm.exe, PE32 31->85 dropped 111 Antivirus detection for dropped file 31->111 113 Multi AV Scanner detection for dropped file 31->113 115 Early bird code injection technique detected 31->115 131 7 other signatures 31->131 48 chrome.exe 31->48         started        50 chrome.exe 31->50         started        64 4 other processes 31->64 117 Found API chain indicative of debugger detection 36->117 119 Contains functionality to send encrypted data to the internet 36->119 121 Tries to harvest and steal browser information (history, passwords, etc) 36->121 52 cmd.exe 36->52         started        87 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 38->87 dropped 55 syshost.exe 13 38->55         started        123 Injects code into the Windows Explorer (explorer.exe) 46->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 46->125 127 Writes to foreign memory regions 46->127 129 Creates a thread in another existing process (thread injection) 46->129 58 schtasks.exe 46->58         started        60 schtasks.exe 46->60         started        62 schtasks.exe 46->62         started        66 2 other processes 46->66 file13 signatures14 process15 dnsIp16 141 Uses ping.exe to sleep 52->141 143 Uses ping.exe to check the status of other devices and networks 52->143 68 PING.EXE 52->68         started        71 conhost.exe 52->71         started        105 158.94.208.102, 49716, 49721, 49724 JANETJiscServicesLimitedGB United Kingdom 55->105 107 178.16.53.7, 49717, 49722, 49725 DUSNET-ASDE Germany 55->107 145 Antivirus detection for dropped file 55->145 147 Multi AV Scanner detection for dropped file 55->147 149 Contains functionality to start a terminal service 55->149 151 Unusual module load detection (module proxying) 55->151 73 conhost.exe 58->73         started        75 conhost.exe 60->75         started        77 conhost.exe 62->77         started        79 conhost.exe 66->79         started        81 conhost.exe 66->81         started        signatures17 process18 dnsIp19 103 127.0.0.1 unknown unknown 68->103
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/129ae58509b3f8f57b0459f5010d2f83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008/
Threat name:
Win64.Trojan.SvcStealer
Create hunting rule
Status:
Malicious
First seen:
2025-12-06 22:58:14 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2n2f3iddyedbsmco5dcm4g5pbimrpj4jwu6bkdsooq4zyzlaaea._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer downloader execution persistence stealer
Link:
https://tria.ge/reports/251214-nt3b3afj31/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c19ba4c-15d3-4cea-b917-39a558b90278
Unpacked files
SH256 hash:
1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008
MD5 hash:
129ae58509b3f8f57b0459f5010d2f83
SHA1 hash:
b800b091e181cad7ae6d2c0f6c55a7a5cd380e8f
Link:
https://www.unpac.me/results/e2806314-2b07-4eee-98ff-c72dc679c33f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e9ba2ed031e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44609/

Comments