MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f
SHA3-384 hash: 903ee0715842f375e4f08dc9df1681391fb1a79179561450b7c21c6f517dd3fea5d1e8cbcda4a69eedf51974f28fc55b
SHA1 hash: 966d4e5cc2667ed0d1c20df83323b69b68d139b1
MD5 hash: cfa1277b223991f9713dc760d103219f
humanhash: fourteen-carbon-neptune-fourteen
File name:cfa1277b223991f9713dc760d103219f.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:1'230'848 bytes
First seen:2025-11-16 16:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a1975a7c9c848c426cfed519cf3ffc1 (2 x SVCStealer)
ssdeep 24576:PFSxrhTsVU5gjyFruu4fEDd8wn5SLU+Zrv6Us9WlStsiZ:PF6rMggjk+EDuwnib634fiZ
Threatray 166 similar samples on MalwareBazaar
TLSH T17F457D46B2B501F8D1ABC2788A46960BD7B274461334A7DF56D0875B2F33FE16A3E324
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cfa1277b223991f9713dc760d103219f.exe
Verdict:
Malicious activity
Analysis date:
2025-11-16 16:57:51 UTC
Tags:
stealer arch-doc
Link:
https://app.any.run/tasks/bc5d1e8d-eb5d-4b8f-8ded-c8ce783505b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38370/
Detection(s):
Win.Malware.Phil-10045361-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691a0211434cd67b17c2254d
Tags:
ransomware virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd evasive fingerprint hacktool lolbin microsoft_visual_cc mikey
Link:
https://www.filescan.io/uploads/691a020753bda2a5d9f6d94c/reports/5afe5236-8fd4-4028-97ad-7a97ead08345/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-13T20:24:00Z UTC
Last seen:
2025-11-18T03:14:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Stealer.gen VHO:Backdoor.Win32.Androm.gen Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Pycoon.sb Trojan-Dropper.Win32.Dorifel.sbd Trojan.Gatak.TCP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Gatak.gky
Link:
https://opentip.kaspersky.com/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f/results?tab=lookup
Malware family:
SvcStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b1b56f2-0187-4c05-8e90-39e7e03267b8
Result
Threat name:
Clipboard Hijacker, Stealc v2, SvcSteale
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814925
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to send encrypted data to the internet
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1814925 Sample: 2V1oxMb7xT.exe Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 99 Suricata IDS alerts for network traffic 2->99 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 14 other signatures 2->105 10 2V1oxMb7xT.exe 79 2->10         started        15 FnHotkeyUtility.exe 2->15         started        17 unsecapp.exe 2->17         started        19 7 other processes 2->19 process3 dnsIp4 95 158.94.208.102, 27015, 49715, 49716 JANETJiscServicesLimitedGB United Kingdom 10->95 97 196.251.107.23 ANGANI-ASKE Seychelles 10->97 83 C:\Users\user\AppData\...\temp_13518.exe, PE32+ 10->83 dropped 85 C:\Users\user\AppData\...\temp_13495.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\...\temp_13488.exe, PE32+ 10->87 dropped 89 7 other malicious files 10->89 dropped 143 Self deletion via cmd or bat file 10->143 145 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->145 147 Contains functionality to send encrypted data to the internet 10->147 155 2 other signatures 10->155 21 temp_13469.exe 52 10->21         started        25 temp_13495.exe 2 10->25         started        27 temp_13466.exe 1 10->27         started        29 3 other processes 10->29 149 Injects code into the Windows Explorer (explorer.exe) 15->149 151 Writes to foreign memory regions 15->151 153 Allocates memory in foreign processes 15->153 157 2 other signatures 15->157 file5 signatures6 process7 file8 65 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->65 dropped 67 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->69 dropped 73 47 other malicious files 21->73 dropped 117 Multi AV Scanner detection for dropped file 21->117 31 temp_13469.exe 21->31         started        71 C:\Users\user\AppData\...\temp_13495.tmp, PE32 25->71 dropped 33 temp_13495.tmp 3 5 25->33         started        119 Injects code into the Windows Explorer (explorer.exe) 27->119 121 Writes to foreign memory regions 27->121 123 Allocates memory in foreign processes 27->123 131 2 other signatures 27->131 36 explorer.exe 41 2 27->36 injected 125 Early bird code injection technique detected 29->125 127 Uses ping.exe to sleep 29->127 129 Uses ping.exe to check the status of other devices and networks 29->129 133 2 other signatures 29->133 38 PING.EXE 29->38         started        41 conhost.exe 29->41         started        43 chrome.exe 29->43         started        45 5 other processes 29->45 signatures9 process10 dnsIp11 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->61 dropped 63 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 33->63 dropped 47 temp_13495.exe 33->47         started        50 temp_13466.exe 36->50         started        53 temp_13488.exe 36->53         started        93 127.0.0.1 unknown unknown 38->93 file12 process13 file14 91 C:\Users\user\AppData\...\temp_13495.tmp, PE32 47->91 dropped 55 temp_13495.tmp 47->55         started        107 Injects code into the Windows Explorer (explorer.exe) 50->107 109 Writes to foreign memory regions 50->109 111 Allocates memory in foreign processes 50->111 113 Creates a thread in another existing process (thread injection) 53->113 115 Injects a PE file into a foreign processes 53->115 signatures15 process16 file17 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->75 dropped 77 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 55->77 dropped 79 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 55->79 dropped 81 11 other malicious files 55->81 dropped 58 FnHotkeyUtility.exe 55->58         started        process18 signatures19 135 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 58->135 137 Injects code into the Windows Explorer (explorer.exe) 58->137 139 Writes to foreign memory regions 58->139 141 4 other signatures 58->141
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cfa1277b223991f9713dc760d103219f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f/
Verdict:
Malicious
Threat:
Family.SVCSTEALER
Link:
https://tip.neiki.dev/file/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f
Threat name:
Win64.Exploit.Sandsquarev
Create hunting rule
Status:
Malicious
First seen:
2025-11-14 08:05:55 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxspf2bdxyl2zejryi3vzryp3yhpbr7kllf64nhdlhkqsraifbhq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
unc_loader_073
Create hunting rule
svcstealer
Create hunting rule
Similar samples:
07bbff7609b94e8853575e3a6803f33435e8d3ede7d96edd83237b583b76b716
SVCStealer
0b586f16ba08538d8779a08b19004993f2bad1aa936ef2e75899c24133309357
SVCStealer
1cf0208ca043a5259145a2e90f0f2093a805df30d2fff66ffcea21c7096ee5d6
SVCStealer
2dbee2aec305103a2ad3fbd4e56c8973e138c30b7fb349c0d6ecd38ddc421aaf
SVCStealer
47c3a31ab04b76ddbaef87cc0447fdddf6c15aa5159eb4d41b064d73988488c3
SVCStealer
779696f4bf969ef9da50b98c884bc149a601847c5ca3b854bb2fd6909040462c
SVCStealer
956d607b88f263303037375a1c5e631ac644d447ba1452adfa905656820b66f6
SVCStealer
adf118b20cee8c1934614b22d36d206725a123cb87f7476c14f8242710f1e24e
SVCStealer
c1d781f4c9469977a32f2ad6edea4fda98e6a8eda5aa10149be2311cb369c48a
SVCStealer
error
SVCStealer
f58fcc5d3c9be3261305a5309b2055f0ac098ddb58d8e8731252f00c5d44fd43
SVCStealer
+ 156 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer discovery persistence pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/251116-vfe3yavqds/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Malware Config
C2 Extraction:
158.94.208.102
Verdict:
Malicious
Tags:
Win.Malware.Phil-10045361-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d0bd2314-2ef4-4022-8205-ce9a544e8381
Unpacked files
SH256 hash:
95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f
MD5 hash:
cfa1277b223991f9713dc760d103219f
SHA1 hash:
966d4e5cc2667ed0d1c20df83323b69b68d139b1
Link:
https://www.unpac.me/results/69f8aa82-efb3-45a2-9873-0bb77dcf7070/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95e4f2e823be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe 95e4f2e823be17ac9131c2375cc70fde0ef0c7ea5acbee34e359d5094408284f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38370/
  
URLhaus
https://urlhaus.abuse.ch/url/3709972/
  
Delivery method
Distributed via web download

Comments