MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SVCStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
SHA3-384 hash:	7a55642e092a3ba7db86c0422bfbb7175aaae211c373b7b2755cf01983297261e4589485569a6dbaed91b7d06468eac8
SHA1 hash:	62c8cd7c67e6cb27500551751dcdf2b34a103aeb
MD5 hash:	10f7527d1ea365aa85ad2c363cf6f9d6
humanhash:	robert-vegan-delta-alabama
File name:	file
Download:	download sample
Signature	SVCStealer Create hunting rule
File size:	201'728 bytes
First seen:	2025-12-24 22:44:34 UTC
Last seen:	2025-12-25 00:46:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d1f7c0196d9cb7cc59f07ec0dccb32bd (1 x SVCStealer)
ssdeep	3072:z8aKSvdOh3/83ZCOtIomHIg1kmZqIvbufn0Y981n1Ewq+CCg+tpPWLOJA:z8aKSAfOt0V/Zq5n0L11EtR+Qk
Threatray	106 similar samples on MalwareBazaar
TLSH	T105147B2179808472D4B3027146FCEB72547CBA214BB69ACBB7D80F5D1A749D3AB32763
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey e3db0b exe SVCStealer

Bitsight

url: http://62.60.226.159/485.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-12-24 22:46:35 UTC

Tags:

auto-reg stealc stealer auto-sch python crypto-regex svcstealer

Link:

https://app.any.run/tasks/ced7cdf6-e58a-4d07-92f1-35064bc07ee9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46002/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694c6d07038f10550b55607e

Tags:

autorun emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug autorun fingerprint lolbin microsoft_visual_cc mikey update

Link:

https://www.filescan.io/uploads/694c6d045ceddcfa3ff6af4a/reports/4e01374f-8f0f-43b1-a308-da28cf2f48e3/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da/results?tab=lookup

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c83b3ae-c85f-4e0b-b0e5-f108b0380fcf

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/10f7527d1ea365aa85ad2c363cf6f9d6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2025-12-24 22:45:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 36 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gex7kp2cmrlb4dcatv3oa44dlwifrsbeonxlrm3fivydvembuhna._file

Verdict:

malicious

Label(s):

unc_loader_073

stealc

Result

Malware family:

xworm

Score:

10/10

Tags:

family:stealc family:svcstealer family:xworm botnet:crypted discovery downloader execution installer persistence pyinstaller rat spyware stealer trojan upx

Link:

https://tria.ge/reports/251224-2ppr3azndz/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Browser Information Discovery

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Detect Xworm Payload

Detects SvcStealer Payload

Stealc

Stealc family

SvcStealer, Diamotrix

Svcstealer family

Xworm

Xworm family

Malware Config

C2 Extraction:

http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23
196.251.107.104:1177
196.251.107.23:1177

Verdict:

Malicious

Tags:

JS_Nemucod

YARA:

n/a

Link:

https://app.threat.zone/submission/6e10006d-2e03-4cd1-b021-23a7ea4f6299

Unpacked files

SH256 hash:

312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da

MD5 hash:

10f7527d1ea365aa85ad2c363cf6f9d6

SHA1 hash:

62c8cd7c67e6cb27500551751dcdf2b34a103aeb

Link:

https://www.unpac.me/results/bbf3d7fb-e7b4-428a-b704-2c1e5829bc27/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/312ff53f4264/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.