MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8
SHA3-384 hash: d86b25197320629df700816a69b56ba95ec243c2bfb29e658aaad6a7719a3a1d6db1525a3b8d8064c2bb10c73978623a
SHA1 hash: 995e1179b42682030354017318a453e8c1c8d135
MD5 hash: e9852c0cf42165ae949ba7b7745c2d0e
humanhash: robert-nevada-orange-single
File name:1.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:614'912 bytes
First seen:2025-12-14 07:44:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f35919722d8dcde279077a8460e70b83 (9 x SVCStealer, 2 x Stealc, 1 x Amadey)
ssdeep 12288:aSuCbFbVFpW/gy/QcAdGh0zWzydHbZh19wzUOqTkk9UOURuz:azIbVHWDQcAdGmW+Hz/t5SR
TLSH T120D4129B376872FCD2638635C5108A65E723B8771762DF4F07B4439A1F2BAD10D1AB22
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
2to1ep.exe
Verdict:
Malicious activity
Analysis date:
2025-12-14 02:38:27 UTC
Tags:
arch-exec auto metasploit framework github python powershell stealc stealer fileshare anti-evasion backdoor meterpreter payload loader amadey botnet pastebin purelogs phishing generic svc evasion clickfix agenttesla susp-lnk possible-phishing clipper diamotrix purecrypter offloader tool xenorat rat cobaltstrike njrat miner wannacry ransomware tinynuke koiloader havoc socks5systemz proxybot powershellempire donutloader guloader networm amus pushware adware ghostsocks proxyware cryptowall xworm bdaejec koistealer credentialflusher cryptolocker discord exfiltration svitstealer bladabindi mimikatz xmrig screenconnect rmm-tool rdp gh0st coinminer putty formbook lumma xred masslogger smb azorult bruteratel iobit whitesnakestealer rhadamanthys stealerium snake keylogger redline asyncrat pyinstaller remcos quasar nanocore muckstealer vipkeylogger scan smbscan darktortilla crypter arechclient2 dcrat rustystealer susp-powershell hijackloader delphi api-base64 neshta worm jigsaw lokibot whitesnake noescape wiper pythonstealer braodo remote vidar crypto-regex
Link:
https://app.any.run/tasks/cfbc336c-461d-46fd-bcb7-f6b3ee462539

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44601/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693e6b16a62a7a3aa046cc3a
Tags:
malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/693e6b10cf690d27f3df0047/reports/b4c1439b-35d9-4d04-af19-c1e9f7226cd8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-13T18:20:00Z UTC
Last seen:
2025-12-14T20:26:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Win32.Inject.sb MEM:Trojan.Win32.Cometer.gen Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.Win32.Stealer.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win64.Agent.sb Trojan-PSW.Lumma.HTTP.Download Trojan-Downloader.Win32.Agent.sb VHO:Backdoor.Win32.Androm.gen PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Gatak.gnm HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:HackTool.Win32.Inject.heur Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win32.Lumma.yhz Backdoor.Win32.Androm Trojan.Agentb.TCP.C&C Trojan-Dropper.Win32.Dorifel.sbd Trojan.Gatak.TCP.C&C Trojan-PSW.Win64.StealC.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Gatak.glz Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/80b73a9a-68e1-4877-b964-29d998ad19e0
Result
Threat name:
Amadey, Clipboard Hijacker, Stealc v2, S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832375
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to send encrypted data to the internet
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1832375 Sample: 1.exe Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 102 Suricata IDS alerts for network traffic 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 17 other signatures 2->108 9 1.exe 2 1 2->9         started        13 434F.tmp.exe 2->13         started        15 434F.tmp.exe 2->15         started        17 5 other processes 2->17 process3 file4 88 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 9->88 dropped 128 Creates autostart registry keys with suspicious names 9->128 130 Creates multiple autostart registry keys 9->130 132 Injects code into the Windows Explorer (explorer.exe) 9->132 19 explorer.exe 49 19 9->19 injected 24 conhost.exe 9->24         started        134 Writes to foreign memory regions 13->134 136 Allocates memory in foreign processes 13->136 138 Creates a thread in another existing process (thread injection) 13->138 26 schtasks.exe 13->26         started        140 Injects a PE file into a foreign processes 15->140 28 schtasks.exe 15->28         started        142 Contains functionality to start a terminal service 17->142 144 Found direct / indirect Syscall (likely to bypass EDR) 17->144 signatures5 process6 dnsIp7 92 62.60.226.159, 27015, 49689, 49690 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 19->92 80 C:\Users\user\AppData\Local\...\F230.tmp.exe, PE32+ 19->80 dropped 82 C:\Users\user\AppData\Local\...\DDCA.tmp.exe, PE32+ 19->82 dropped 84 C:\Users\user\AppData\Local\...\434F.tmp.exe, PE32+ 19->84 dropped 86 3 other malicious files 19->86 dropped 122 System process connects to network (likely due to code injection or exploit) 19->122 124 Benign windows process drops PE files 19->124 126 Unusual module load detection (module proxying) 19->126 30 41F7.tmp.exe 19 19->30         started        34 434F.tmp.exe 1 1 19->34         started        36 DDCA.tmp.exe 19->36         started        42 6 other processes 19->42 38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        file8 signatures9 process10 dnsIp11 100 196.251.107.23, 49697, 49808, 49947 ANGANI-ASKE Seychelles 30->100 146 Antivirus detection for dropped file 30->146 148 Multi AV Scanner detection for dropped file 30->148 150 Early bird code injection technique detected 30->150 170 6 other signatures 30->170 45 chrome.exe 30->45         started        61 5 other processes 30->61 152 Creates multiple autostart registry keys 34->152 154 Injects code into the Windows Explorer (explorer.exe) 34->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 34->156 47 schtasks.exe 34->47         started        49 schtasks.exe 34->49         started        158 Found API chain indicative of debugger detection 36->158 160 Contains functionality to send encrypted data to the internet 36->160 162 Tries to harvest and steal browser information (history, passwords, etc) 36->162 51 cmd.exe 36->51         started        90 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 42->90 dropped 164 Writes to foreign memory regions 42->164 166 Allocates memory in foreign processes 42->166 168 Creates a thread in another existing process (thread injection) 42->168 54 syshost.exe 42->54         started        57 schtasks.exe 42->57         started        59 schtasks.exe 42->59         started        63 2 other processes 42->63 file12 signatures13 process14 dnsIp15 65 conhost.exe 47->65         started        67 conhost.exe 49->67         started        110 Uses ping.exe to sleep 51->110 112 Uses ping.exe to check the status of other devices and networks 51->112 69 PING.EXE 51->69         started        72 conhost.exe 51->72         started        96 158.94.208.102, 49702, 49709, 49713 JANETJiscServicesLimitedGB United Kingdom 54->96 98 178.16.53.7, 49703, 49708, 49712 DUSNET-ASDE Germany 54->98 114 Antivirus detection for dropped file 54->114 116 Multi AV Scanner detection for dropped file 54->116 118 Contains functionality to start a terminal service 54->118 120 Unusual module load detection (module proxying) 54->120 74 conhost.exe 57->74         started        76 conhost.exe 59->76         started        78 conhost.exe 63->78         started        signatures16 process17 dnsIp18 94 127.0.0.1 unknown unknown 69->94
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e9852c0cf42165ae949ba7b7745c2d0e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8/
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Link:
https://tip.neiki.dev/file/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-12-13 20:40:59 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2otenxlnqyovoqe65eauoyaviwqzgiocaoredargjpgwt5kzx4a._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer downloader persistence stealer
Link:
https://tria.ge/reports/251214-jlmjessmdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/36dd2fb1-41a9-4de9-a712-039dc338e84e
Unpacked files
SH256 hash:
7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8
MD5 hash:
e9852c0cf42165ae949ba7b7745c2d0e
SHA1 hash:
995e1179b42682030354017318a453e8c1c8d135
Link:
https://www.unpac.me/results/1358d649-dcb7-4f35-b894-3cb7daaf680f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e9d3236eb6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe 7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/44601/
  
URLhaus
https://urlhaus.abuse.ch/url/3721528/
  
Delivery method
Distributed via web download

Comments