MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SVCStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4
SHA3-384 hash:	dba0cd9c0ef10c09a494af2a93a65b6ede9c0be4feb5be7923a24a17b9bbd3814a08d610afc77e43dd1236ad43a597d5
SHA1 hash:	f2f82f01237052fac89a21557a8ba21bbf6e1acd
MD5 hash:	0617303eab95e49d6011f5cad58d59ae
humanhash:	bakerloo-mango-virginia-enemy
File name:	0617303eab95e49d6011f5cad58d59ae.exe
Download:	download sample
Signature	SVCStealer Create hunting rule
File size:	787'456 bytes
First seen:	2025-12-14 11:42:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	78f0b9037223ba008b9e0f5ebe07069b (5 x SVCStealer, 1 x SVC)
ssdeep	12288:7kzN0zVaWX+dkzN0zVaWX+MyzN0zVaWX+:7kzmL+dkzmL+MyzmL+
Threatray	70 similar samples on MalwareBazaar
TLSH	T16BF46D4A376410F8D86B913CC9639A4AF6F27855077093CF13A483B95F2B7E1AA3D712
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.6% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe SVCStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

KINS

Details

KINS

possibly: configuration data including urls and a missionid, cryptocurrency addresses, and extracted components

Link:

https://research.acce.ciphertechsolutions.com/results/8046d9c3-6ab6-40ce-8944-4333df3bd22b/

Malware family:

n/a

ID:

File name:

0617303eab95e49d6011f5cad58d59ae.exe

Verdict:

No threats detected

Analysis date:

2025-12-14 11:45:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/54d1ec52-1f49-4fdd-b909-b5949d4c0647

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44613/

Detection(s):

Win.Downloader.Marte-10058294-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693ea2d5838ad7e4853925cb

Tags:

downloader dropper emotet virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug exploit explorer fingerprint lolbin packed powerloader

Link:

https://www.filescan.io/uploads/693ea2d0cf690d27f3df19c0/reports/421bf966-a084-45c1-81ae-43a239da98a4/overview

Verdict:

Malicious

Labled as:

Trojan.Loader.Marte.6.Generic

Link:

https://www.hybrid-analysis.com/sample/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-10T01:31:00Z UTC

Last seen:

2025-12-14T17:58:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Injuke.pidm PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4/results?tab=lookup

Malware family:

Gapz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/25dcf62a-4758-4b02-8895-2416261f8f9d

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/0617303eab95e49d6011f5cad58d59ae

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4/

Verdict:

Malicious

Threat:

Family.SVCSTEALER

Link:

https://tip.neiki.dev/file/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

Threat name:

Win64.Trojan.PowerLoader

Status:

Malicious

First seen:

2025-12-10 08:39:38 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qq7gjfuponu4zcevxqfuhbhlat46735qgenqlfugcjzxinwkqtka._file

Verdict:

malicious

Label(s):

unc_loader_073

SVCStealer

60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6

SVCStealer

7e9d3236eb6c30eaba04f7480a3b00aa2d0c990e101d120c11325e6b4faacdf8

SVCStealer

843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

SVCStealer

90e8364f36c97d2e247abb93fbe28b682a286765fc6600ee15db377121c3703f

SVCStealer

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

SVCStealer

c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6

SVCStealer

error

SVCStealer

+ 60 additional samples on MalwareBazaar

Result

Malware family:

svcstealer

Score:

10/10

Tags:

family:svcstealer downloader stealer

Link:

https://tria.ge/reports/251214-nvpglatpfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

SvcStealer, Diamotrix

Svcstealer family

Malware Config

C2 Extraction:

http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php

Verdict:

Malicious

Tags:

Win.Downloader.Marte-10058294-0

YARA:

n/a

Link:

https://app.threat.zone/submission/7479f3a7-d4d5-4e0f-8561-5c3914f6713a

Unpacked files

SH256 hash:

843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

MD5 hash:

0617303eab95e49d6011f5cad58d59ae

SHA1 hash:

f2f82f01237052fac89a21557a8ba21bbf6e1acd

Detections:

win_sdbbot_auto

Link:

https://www.unpac.me/results/5fa478b5-3c77-4d13-81f2-fab7cce1145a/

SH256 hash:

0963f044513d523292a340588f97d4d31fe4823a95e16a47a8217ee6e5581a70

MD5 hash:

53bac7df8377a7b1a68a6c52bfbfdd69

SHA1 hash:

82be4aa082a10be0b8ce6e74cb6e65b3b1bdd956

Link:

https://www.unpac.me/results/5fa478b5-3c77-4d13-81f2-fab7cce1145a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_sdbbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/44613/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample