MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035
SHA3-384 hash: 5e0b3f11a24b389b42c621f9842ce976dd201d33c7aed584a270f9b6b4d51b016013906689beb61e7644d13d9c8ff527
SHA1 hash: f071cc95e4360f4874c4345a17a4ebd24c9ac4e7
MD5 hash: 25cebe70547c2732de0a9050fd4a76cb
humanhash: happy-october-nuts-louisiana
File name:x70cb2301d0eef30d587d26052cf7cab6f3334dcf5294.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:66'048 bytes
First seen:2026-01-12 17:35:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55380ca6450e841d3d090c9d1307b680 (3 x SVCStealer, 1 x RedLineStealer)
ssdeep 768:GUp9fff0yKZax2wNfEiMgQacRZidIZMq+sZhHxDPakkaLEDDNVntAiNwZCi3AhRE:df0yyaRlDsAqxpSk/E/AAhoB2yk0
TLSH T1E8538D13B7F2C032F16295B409249B624FBE782156B4D6BB1B9C10E9AFB1690CF39357
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4504/4/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer


Avatar
abuse_ch
SVCStealer C2:
196.251.107.104:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.107.104:7707 https://threatfox.abuse.ch/ioc/1685210/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
x70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035.exe
Verdict:
Malicious activity
Analysis date:
2026-01-12 17:07:16 UTC
Tags:
auto-sch
Link:
https://app.any.run/tasks/958275ba-a70e-41cc-b5d7-8fb868904cdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48653/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69652a43a3ed2a87ae3eae38
Tags:
obfuscator autorun virtool sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin microsoft_visual_cc packed schtasks
Link:
https://www.filescan.io/uploads/696530e5c82deb762e7a01ed/reports/a662ce1a-55db-43f2-a82c-26601032f3eb/overview
Verdict:
Malicious
Labled as:
Trojan.ExplorerHijack.Generic
Link:
https://www.hybrid-analysis.com/sample/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-12T14:13:00Z UTC
Last seen:
2026-01-13T23:44:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Backdoor.MSIL.Crysan.d Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Pycoon.sb Trojan-Spy.Agent.HTTP.C&C Trojan.Win32.Shellcode.sb Trojan.Win32.Gatak.sb Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.b Backdoor.MSIL.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Lumma.HTTP.C&C Trojan.Gatak.TCP.C&C Trojan-Downloader.Win32.Bazloader.sb Trojan-Downloader.Win32.Bazloader.hb PDM:Exploit.Win32.Generic Trojan.Win32.AntiAV.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.Crysan.mjf Backdoor.MSIL.Crysan.c Trojan.Win32.Agent.sb Trojan.Scar.HTTP.C&C PDM:Trojan.Win32.Tasker.cust Trojan-Downloader.Bazloader.HTTP.C&C VHO:Backdoor.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035/results?tab=lookup
Malware family:
APT10
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ded15757-d057-4830-b9e1-c5fae2fa6fb7
Result
Threat name:
AsyncRAT, Clipboard Hijacker, Stealc v2,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1849399
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to send encrypted data to the internet
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Stealc v2
Yara detected SvcStealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1849399 Sample: x70cb2301d0eef30d587d26052c... Startdate: 12/01/2026 Architecture: WINDOWS Score: 100 146 Suricata IDS alerts for network traffic 2->146 148 Found malware configuration 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 17 other signatures 2->152 14 x70cb2301d0eef30d587d26052cf7cab6f3334dcf5294.exe 4 2->14         started        18 eServiceHost.exe 2->18         started        20 2772A20CA999752D.exe 2->20         started        22 8 other processes 2->22 process3 file4 132 C:\Users\user\...\2772A20CA999752D.exe, PE32 14->132 dropped 180 Uses schtasks.exe or at.exe to add and modify task schedules 14->180 182 Writes to foreign memory regions 14->182 184 Allocates memory in foreign processes 14->184 186 Injects a PE file into a foreign processes 14->186 24 svchost.exe 8 14->24         started        29 schtasks.exe 1 14->29         started        188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->188 signatures5 process6 dnsIp7 138 62.60.226.159, 27015, 49690, 49691 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 24->138 140 196.251.107.104, 1177, 49692, 49695 ANGANI-ASKE Seychelles 24->140 112 C:\Users\user\AppData\Local\...\uoicwqke.exe, PE32+ 24->112 dropped 114 C:\Users\user\AppData\Local\...\jsbktclu.exe, PE32 24->114 dropped 170 System process connects to network (likely due to code injection or exploit) 24->170 172 Unusual module load detection (module proxying) 24->172 31 jsbktclu.exe 24->31         started        34 jsbktclu.exe 2 24->34         started        36 uoicwqke.exe 68 24->36         started        39 conhost.exe 29->39         started        file8 signatures9 process10 file11 134 C:\Users\user\AppData\Local\...\jsbktclu.tmp, PE32 31->134 dropped 41 jsbktclu.tmp 31->41         started        136 C:\Users\user\AppData\Local\...\jsbktclu.tmp, PE32 34->136 dropped 44 jsbktclu.tmp 3 5 34->44         started        154 Injects code into the Windows Explorer (explorer.exe) 36->154 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->156 158 Contains functionality to send encrypted data to the internet 36->158 160 5 other signatures 36->160 46 explorer.exe 36->46 injected signatures12 process13 file14 116 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->116 dropped 118 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 41->118 dropped 48 jsbktclu.exe 41->48         started        120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->120 dropped 122 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 44->122 dropped 51 jsbktclu.exe 2 44->51         started        process15 file16 92 C:\Users\user\AppData\Local\...\jsbktclu.tmp, PE32 48->92 dropped 53 jsbktclu.tmp 48->53         started        94 C:\Users\user\AppData\Local\...\jsbktclu.tmp, PE32 51->94 dropped 56 jsbktclu.tmp 5 15 51->56         started        process17 file18 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->96 dropped 98 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 53->98 dropped 100 C:\ProgramData\...\vcruntime140.dll (copy), PE32 53->100 dropped 108 9 other malicious files 53->108 dropped 58 eServiceHost.exe 53->58         started        102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->102 dropped 104 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 56->104 dropped 106 C:\ProgramData\...\vcruntime140.dll (copy), PE32 56->106 dropped 110 9 other malicious files 56->110 dropped 62 eServiceHost.exe 2 56->62         started        process19 file20 124 C:\Users\user\AppData\Local\Temp\yxhpck.exe, PE32+ 58->124 dropped 126 C:\Users\user\AppData\Local\Temp\ropqhe.exe, PE32 58->126 dropped 128 C:\Users\user\AppData\Local\Temp\gkthxy.exe, PE32+ 58->128 dropped 130 C:\Users\user\AppData\Local\Temp\eoneaj.exe, PE32 58->130 dropped 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 58->174 176 Unusual module load detection (module proxying) 58->176 64 cmd.exe 58->64         started        67 cmd.exe 58->67         started        69 cmd.exe 58->69         started        71 cmd.exe 58->71         started        178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->178 signatures21 process22 signatures23 142 Suspicious powershell command line found 64->142 73 powershell.exe 64->73         started        75 conhost.exe 64->75         started        77 powershell.exe 67->77         started        79 conhost.exe 67->79         started        144 Bypasses PowerShell execution policy 69->144 81 powershell.exe 69->81         started        83 conhost.exe 69->83         started        85 powershell.exe 71->85         started        87 conhost.exe 71->87         started        process24 process25 89 gkthxy.exe 81->89         started        signatures26 162 Injects code into the Windows Explorer (explorer.exe) 89->162 164 Tries to harvest and steal browser information (history, passwords, etc) 89->164 166 Writes to foreign memory regions 89->166 168 4 other signatures 89->168
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035/
Verdict:
Malicious
Threat:
Family.SMOKELOADER
Link:
https://tip.neiki.dev/file/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035
Threat name:
Win32.Trojan.ExplorerHijack
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 17:07:17 UTC
File Type:
PE (Exe)
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odfsgaoq53zq2wd5eycsz56kw3ztgtopkkkilikynlm6efme2a2q._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:smokeloader family:stealc family:svcstealer botnet:crypt botnet:default backdoor discovery downloader execution installer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/260112-v59zlshy6c/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Detects SvcStealer Payload
SmokeLoader
Smokeloader family
Stealc
Stealc family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/geter/index.php?
196.251.107.104:6606
196.251.107.104:7707
196.251.107.104:8808
http://196.251.107.23
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a186a27-6acf-419a-8085-f8f6870205d0
Unpacked files
SH256 hash:
70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035
MD5 hash:
25cebe70547c2732de0a9050fd4a76cb
SHA1 hash:
f071cc95e4360f4874c4345a17a4ebd24c9ac4e7
Link:
https://www.unpac.me/results/470c72ba-aa3a-4523-8908-6bc5d1d1a849/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70cb2301d0ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70cb2301d0eef30d587d26052cf7cab6f3334dcf529485a1586ad9e21584d035

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48653/

Comments