MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452
SHA3-384 hash: 3cdecf390040bfc78e41b64f762c138d898634649321cb5253768115aa62f5ea7af6fc3603b85a6dcea314b1d34d88ce
SHA1 hash: 6b28ca08a51252abac26b878f3395b5c5c57880a
MD5 hash: 293e4a2c858d7b8b19ea8954e5e8fe27
humanhash: charlie-river-snake-hot
File name:8.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:85'504 bytes
First seen:2026-01-12 13:55:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3326b0ed8ca5d20f5013f8b3c04e7744 (2 x SVCStealer, 1 x XWorm)
ssdeep 1536:q148CrfdXNM840VhyGzirik7okuAhoB2y:q1zmM92yrCksB2y
TLSH T17D834901F250C035F0F700FACBB54B7A5EA9AF11536890DB57D855EAAB31AC1BA3235B
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4504/4/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer


Avatar
abuse_ch
SVCStealer C2:
196.251.107.104:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.107.104:6606 https://threatfox.abuse.ch/ioc/1685209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
8.exe
Verdict:
Malicious activity
Analysis date:
2026-01-12 13:56:48 UTC
Tags:
stealer stealc loader auto-sch rat asyncrat remote upx
Link:
https://app.any.run/tasks/772eb3d9-89b7-48ba-9ef9-b35880c4705e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48617/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6964fd4aa3ed2a87ae3e9afd
Tags:
obfuscator autorun virtool sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 carberp lolbin microsoft_visual_cc oficla packed schtasks
Link:
https://www.filescan.io/uploads/6964fd4940358be74af94aba/reports/776fbed7-afa9-4ca9-8828-3fe9e74dc9e3/overview
Verdict:
Malicious
Labled as:
Trojan.ExplorerHijack.Generic
Link:
https://www.hybrid-analysis.com/sample/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-12T11:10:00Z UTC
Last seen:
2026-01-12T13:35:00Z UTC
Hits:
~100
Detections:
Trojan.Gatak.TCP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.Gatak.gok Trojan.Win32.Agent.sb Trojan.Win32.DLLhijack.sb PDM:Trojan.Win32.Tasker.cust Trojan.Win32.Shellcode.sb Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Inject.sb Trojan.Win32.DLLhijack.adhg Trojan-Downloader.Win32.Bazloader.iu Trojan-Downloader.Bazloader.HTTP.C&C Trojan.Win64.Reflo.sb Trojan.Scar.HTTP.C&C PDM:Exploit.Win32.Generic Backdoor.MSIL.XWorm.b Trojan.Win64.Agent.sb HEUR:Trojan-Banker.Win32.ClipBanker.gen Trojan-PSW.Win32.Pycoon.sb MEM:Trojan.Win32.Cometer.gen HEUR:HackTool.Win32.Inject.heur Trojan-Banker.Win32.ClipBanker.sb UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452/results?tab=lookup
Malware family:
APT10
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffc50966-36df-4a45-9124-bae2e72c8936
Result
Threat name:
AsyncRAT, Clipboard Hijacker, Stealc v2,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1849167
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to send encrypted data to the internet
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1849167 Sample: 8.exe Startdate: 12/01/2026 Architecture: WINDOWS Score: 100 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 18 other signatures 2->160 14 8.exe 4 2->14         started        18 eServiceHost.exe 2->18         started        20 598626D8F6D84CA5.exe 2->20         started        22 5 other processes 2->22 process3 file4 148 C:\Users\user\...\598626D8F6D84CA5.exe, PE32 14->148 dropped 194 Uses schtasks.exe or at.exe to add and modify task schedules 14->194 196 Writes to foreign memory regions 14->196 198 Allocates memory in foreign processes 14->198 200 Injects a PE file into a foreign processes 14->200 24 svchost.exe 9 14->24         started        29 schtasks.exe 1 14->29         started        31 gfhsyv.tmp 18->31         started        202 Multi AV Scanner detection for dropped file 20->202 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->204 signatures5 process6 dnsIp7 150 62.60.226.159, 27015, 49713, 49714 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 24->150 152 196.251.107.104, 1177, 49715, 49721 ANGANI-ASKE Seychelles 24->152 118 C:\Users\user\AppData\Local\...\rizqhypg.exe, PE32 24->118 dropped 120 C:\Users\user\AppData\Local\...\petixmbq.exe, PE32+ 24->120 dropped 122 C:\Users\user\AppData\Local\...\hovcjqxe.exe, PE32 24->122 dropped 176 System process connects to network (likely due to code injection or exploit) 24->176 178 Unusual module load detection (module proxying) 24->178 33 hovcjqxe.exe 24->33         started        36 rizqhypg.exe 2 24->36         started        39 petixmbq.exe 68 24->39         started        41 conhost.exe 29->41         started        124 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->124 dropped 126 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->126 dropped 128 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 31->128 dropped 130 11 other malicious files 31->130 dropped file8 signatures9 process10 file11 94 C:\Users\user\AppData\Local\...\hovcjqxe.tmp, PE32 33->94 dropped 43 hovcjqxe.tmp 33->43         started        96 C:\Users\user\AppData\Local\...\rizqhypg.tmp, PE32 36->96 dropped 166 Multi AV Scanner detection for dropped file 36->166 46 rizqhypg.tmp 3 5 36->46         started        168 Injects code into the Windows Explorer (explorer.exe) 39->168 170 Contains functionality to send encrypted data to the internet 39->170 172 Writes to foreign memory regions 39->172 174 4 other signatures 39->174 48 explorer.exe 39->48 injected signatures12 process13 file14 132 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->132 dropped 134 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 43->134 dropped 50 hovcjqxe.exe 43->50         started        136 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->136 dropped 138 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 46->138 dropped 53 rizqhypg.exe 2 46->53         started        process15 file16 98 C:\Users\user\AppData\Local\...\hovcjqxe.tmp, PE32 50->98 dropped 55 hovcjqxe.tmp 50->55         started        100 C:\Users\user\AppData\Local\...\rizqhypg.tmp, PE32 53->100 dropped 58 rizqhypg.tmp 5 15 53->58         started        process17 file18 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->102 dropped 104 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 55->104 dropped 106 C:\ProgramData\...\vcruntime140.dll (copy), PE32 55->106 dropped 114 9 other malicious files 55->114 dropped 60 eServiceHost.exe 55->60         started        108 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->108 dropped 110 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 58->110 dropped 112 C:\ProgramData\...\vcruntime140.dll (copy), PE32 58->112 dropped 116 9 other malicious files 58->116 dropped 64 eServiceHost.exe 2 58->64         started        process19 file20 140 C:\Users\user\AppData\Local\Temp\haqnyk.exe, PE32+ 60->140 dropped 142 C:\Users\user\AppData\Local\Temp\gfysca.exe, PE32 60->142 dropped 144 C:\Users\user\AppData\Local\Temp\gfhsyv.exe, PE32 60->144 dropped 146 C:\Users\user\AppData\Local\Temp\brukbs.exe, PE32+ 60->146 dropped 188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 60->188 190 Unusual module load detection (module proxying) 60->190 66 cmd.exe 60->66         started        69 cmd.exe 60->69         started        71 cmd.exe 60->71         started        73 cmd.exe 60->73         started        192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->192 signatures21 process22 signatures23 162 Suspicious powershell command line found 66->162 164 Bypasses PowerShell execution policy 66->164 75 powershell.exe 66->75         started        77 conhost.exe 66->77         started        79 powershell.exe 69->79         started        81 conhost.exe 69->81         started        83 powershell.exe 71->83         started        85 conhost.exe 71->85         started        87 powershell.exe 73->87         started        89 conhost.exe 73->89         started        process24 process25 91 haqnyk.exe 75->91         started        signatures26 180 Multi AV Scanner detection for dropped file 91->180 182 Hijacks the control flow in another process 91->182 184 Writes to foreign memory regions 91->184 186 4 other signatures 91->186
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/293e4a2c858d7b8b19ea8954e5e8fe27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452/
Verdict:
Malicious
Threat:
Family.SVCSTEALER
Link:
https://tip.neiki.dev/file/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452
Threat name:
Win32.Trojan.ExplorerHijack
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 13:55:23 UTC
File Type:
PE (Exe)
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6zh5sncp7glmpbdncbhpzio2di27rmy3ga2mfu62syuuiiyqrja._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery execution installer persistence rat upx
Link:
https://tria.ge/reports/260112-q8aayacv3f/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
196.251.107.104:6606
196.251.107.104:7707
196.251.107.104:8808
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d97a7aa6-4296-4629-a78e-7a5f878851d1
Unpacked files
SH256 hash:
87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452
MD5 hash:
293e4a2c858d7b8b19ea8954e5e8fe27
SHA1 hash:
6b28ca08a51252abac26b878f3395b5c5c57880a
Link:
https://www.unpac.me/results/1e3fd1fa-3ce1-46b7-814a-6ded2bc742ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87b27ec9a27f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_packer_lb_was_detected
Create hunting rule
Author:0x0d4y
Description:Detect the packer used by Lockbit4.0
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe 87b27ec9a27fccb63c23688277e50ed0d1afc598d981a6169ed4b14a21188452

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/48617/
  
URLhaus
https://urlhaus.abuse.ch/url/3736153/
  
Delivery method
Distributed via web download

Comments