MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f
SHA3-384 hash: 9155e5ca1dd50e2d63ddfdcf3cd66d208f4b305beb08c1dc4ca6268447f64acbfc6eb0c04dd330a287c01cff385bef00
SHA1 hash: cb879ac373a0f7f71f09cc0fd3de2667649c573c
MD5 hash: 04487306fcce38f93434ffa5796b4f36
humanhash: table-florida-freddie-romeo
File name:x882c5a26b60517a4ce80c7f4449cad4232ce088772fa.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:66'048 bytes
First seen:2026-01-12 17:25:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55380ca6450e841d3d090c9d1307b680 (3 x SVCStealer, 1 x RedLineStealer)
ssdeep 768:nNCzfY0j15I02wNfEiMgQacRZidtvs0p0uv/uhPVmDa+kk0LEDUVnNAivwZCi3Aj:sY0jLIilDsH0hiYDa+kdV9AAhoB2yz0
TLSH T141538D93B7E2C032F06295B419248B634FBE7C1156B4C5AB2B8C0099AFB16DDDB39357
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4504/4/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer


Avatar
abuse_ch
SVCStealer C2:
196.251.107.104:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.107.104:6606 https://threatfox.abuse.ch/ioc/1685209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
x882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f.exe
Verdict:
Malicious activity
Analysis date:
2026-01-12 17:05:36 UTC
Tags:
auto-sch
Link:
https://app.any.run/tasks/7002ce96-cc09-4fcc-9e2c-4ca26f366e24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48652/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696529df946a855b103e98d7
Tags:
obfuscator autorun virtool sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin microsoft_visual_cc packed schtasks
Link:
https://www.filescan.io/uploads/69652e8e7859247a1c5497d9/reports/3374ca23-4a91-4e6e-9c5e-37c6425bfe31/overview
Verdict:
Malicious
Labled as:
Trojan.ExplorerHijack.Generic
Link:
https://www.hybrid-analysis.com/sample/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-12T14:18:00Z UTC
Last seen:
2026-01-13T23:44:00Z UTC
Hits:
~100
Detections:
Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.d Trojan-Downloader.Win32.Bazloader.sb Trojan.Win64.Agent.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.Crysan.c Backdoor.MSIL.Crysan.b Backdoor.MSIL.Agent.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Mansabo.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.Crysan.mjf Trojan.Scar.HTTP.C&C PDM:Trojan.Win32.Tasker.cust PDM:Exploit.Win32.Generic Trojan-PSW.Lumma.HTTP.C&C Trojan-Downloader.Bazloader.HTTP.C&C Trojan.Win32.Shellcode.sb Trojan.Win32.RokRat.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Pycoon.sb Trojan-Spy.Agent.HTTP.C&C Trojan.Win32.Gatak.sb Trojan.Win32.AntiAV.sb Trojan.Gatak.TCP.C&C Trojan-Downloader.Win32.Bazloader.iw VHO:Backdoor.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f/results?tab=lookup
Malware family:
APT10
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f2280ca-a331-4431-88a8-473bff43f153
Result
Threat name:
AsyncRAT, Clipboard Hijacker, SvcStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1849391
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected SvcStealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1849391 Sample: x882c5a26b60517a4ce80c7f444... Startdate: 12/01/2026 Architecture: WINDOWS Score: 100 173 Suricata IDS alerts for network traffic 2->173 175 Found malware configuration 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 16 other signatures 2->179 14 x882c5a26b60517a4ce80c7f4449cad4232ce088772fa.exe 4 2->14         started        18 582F5B6EAA4839A1.exe 2->18         started        20 eServiceHost.exe 2->20         started        22 6 other processes 2->22 process3 file4 167 C:\Users\user\...\582F5B6EAA4839A1.exe, PE32 14->167 dropped 217 Uses schtasks.exe or at.exe to add and modify task schedules 14->217 219 Writes to foreign memory regions 14->219 221 Allocates memory in foreign processes 14->221 223 Injects a PE file into a foreign processes 14->223 24 aaaaaaaa.tmp 14->24         started        27 svchost.exe 9 14->27         started        31 schtasks.exe 1 14->31         started        225 Multi AV Scanner detection for dropped file 18->225 227 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->227 signatures5 process6 dnsIp7 141 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->141 dropped 143 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 24->143 dropped 33 aaaaaaaa.exe 24->33         started        169 62.60.226.159, 27015, 49715, 49716 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 27->169 171 196.251.107.104, 1177, 49717, 49723 ANGANI-ASKE Seychelles 27->171 145 C:\Users\user\AppData\Local\...\wsokgcyu.exe, PE32 27->145 dropped 147 C:\Users\user\AppData\Local\...\rizqhypg.exe, PE32+ 27->147 dropped 149 C:\Users\user\AppData\Local\...\aaaaaaaa.exe, PE32 27->149 dropped 199 System process connects to network (likely due to code injection or exploit) 27->199 201 Unusual module load detection (module proxying) 27->201 36 wsokgcyu.exe 2 27->36         started        39 rizqhypg.exe 71 27->39         started        41 aaaaaaaa.exe 27->41         started        43 conhost.exe 31->43         started        file8 signatures9 process10 file11 103 C:\Users\user\AppData\Local\...\aaaaaaaa.tmp, PE32 33->103 dropped 45 aaaaaaaa.tmp 33->45         started        105 C:\Users\user\AppData\Local\...\wsokgcyu.tmp, PE32 36->105 dropped 181 Multi AV Scanner detection for dropped file 36->181 48 wsokgcyu.tmp 3 5 36->48         started        107 C:\Users\user\AppData\...\temp_12956.exe, PE32 39->107 dropped 109 C:\Users\...\Polarised_97.74.8_INSTALL[1].exe, PE32 39->109 dropped 183 Injects code into the Windows Explorer (explorer.exe) 39->183 185 Writes to foreign memory regions 39->185 187 Allocates memory in foreign processes 39->187 189 3 other signatures 39->189 50 temp_12956.exe 39->50         started        52 explorer.exe 39->52 injected 111 C:\Users\user\AppData\Local\...\aaaaaaaa.tmp, PE32 41->111 dropped signatures12 process13 file14 153 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->153 dropped 155 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 45->155 dropped 157 C:\ProgramData\...\vcruntime140.dll (copy), PE32 45->157 dropped 165 9 other malicious files 45->165 dropped 54 eServiceHost.exe 45->54         started        159 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->159 dropped 161 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 48->161 dropped 58 wsokgcyu.exe 2 48->58         started        163 C:\Users\user\AppData\...\temp_12956.tmp, PE32 50->163 dropped 60 temp_12956.tmp 50->60         started        process15 file16 119 C:\Users\user\AppData\Local\Temp\xeutit.exe, PE32+ 54->119 dropped 121 C:\Users\user\AppData\Local\Temp\uqzylw.exe, PE32 54->121 dropped 123 C:\Users\user\AppData\Local\Temp\obfwqx.exe, PE32 54->123 dropped 125 C:\Users\user\AppData\Local\Temp\ijcssw.exe, PE32+ 54->125 dropped 191 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->191 193 Unusual module load detection (module proxying) 54->193 62 cmd.exe 54->62         started        65 cmd.exe 54->65         started        67 cmd.exe 54->67         started        69 cmd.exe 54->69         started        127 C:\Users\user\AppData\Local\...\wsokgcyu.tmp, PE32 58->127 dropped 71 wsokgcyu.tmp 5 15 58->71         started        129 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 60->129 dropped 131 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 60->131 dropped signatures17 process18 file19 213 Suspicious powershell command line found 62->213 74 powershell.exe 62->74         started        76 conhost.exe 62->76         started        215 Bypasses PowerShell execution policy 65->215 78 powershell.exe 65->78         started        80 conhost.exe 65->80         started        82 conhost.exe 67->82         started        84 powershell.exe 67->84         started        86 conhost.exe 69->86         started        133 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 71->133 dropped 135 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 71->135 dropped 137 C:\ProgramData\...\vcruntime140.dll (copy), PE32 71->137 dropped 139 9 other malicious files 71->139 dropped 88 eServiceHost.exe 2 71->88         started        signatures20 process21 signatures22 91 obfwqx.exe 74->91         started        95 ijcssw.exe 78->95         started        195 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 88->195 197 Unusual module load detection (module proxying) 88->197 process23 file24 151 C:\Users\user\AppData\Local\...\obfwqx.tmp, PE32 91->151 dropped 203 Multi AV Scanner detection for dropped file 91->203 97 obfwqx.tmp 91->97         started        205 Injects code into the Windows Explorer (explorer.exe) 95->205 207 Tries to harvest and steal browser information (history, passwords, etc) 95->207 209 Writes to foreign memory regions 95->209 211 4 other signatures 95->211 signatures25 process26 file27 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 97->113 dropped 115 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 97->115 dropped 100 obfwqx.exe 97->100         started        process28 file29 117 C:\Users\user\AppData\Local\...\obfwqx.tmp, PE32 100->117 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f/
Verdict:
Malicious
Threat:
Family.SMOKELOADER
Link:
https://tip.neiki.dev/file/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f
Threat name:
Win32.Trojan.ExplorerHijack
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 17:05:37 UTC
File Type:
PE (Exe)
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rawfujvwaul2jtuay72ejhfniizm4cehol5ianah4ihgafpvjcpq._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery execution persistence trojan
Link:
https://tria.ge/reports/260112-vzkgrshw9b/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
SmokeLoader
Smokeloader family
Malware Config
C2 Extraction:
http://62.60.226.159/geter/index.php?
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/505c8073-f45f-45ab-a55b-1b8b56593789
Unpacked files
SH256 hash:
882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f
MD5 hash:
04487306fcce38f93434ffa5796b4f36
SHA1 hash:
cb879ac373a0f7f71f09cc0fd3de2667649c573c
Link:
https://www.unpac.me/results/42fd2622-191a-49f5-8021-a7e077541214/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/882c5a26b605/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/882c5a26b60517a4ce80c7f4449cad4232ce088772fa803407e20e6015f5489f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_packer_lb_was_detected
Create hunting rule
Author:0x0d4y
Description:Detect the packer used by Lockbit4.0
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48652/

Comments