MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342
SHA3-384 hash: 04ac6b5b1410e6815264983759c7231f51a782cb84e2d4d3fa3d881a9b890d4b094ec6c6fcbd6f56ae36b8370f650251
SHA1 hash: c146bd5e292741262e756d9bd8d42e700315d198
MD5 hash: 5dd3d8ab517307ba78902ea39f88dfab
humanhash: april-stairway-fanta-hawaii
File name:file
Download: download sample
Signature SVCStealer
Create hunting rule
File size:202'240 bytes
First seen:2025-11-27 21:02:16 UTC
Last seen:2025-11-28 13:35:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f35919722d8dcde279077a8460e70b83 (2 x SVCStealer)
ssdeep 3072:XaD7X/FESbmI3UGxxoJC6OxAEVHM2aCGxslf4VbyDjoCMOviSNjZaj7V:mX/FFbDUM6ChlM2aCGWlCinZY7
Threatray 102 similar samples on MalwareBazaar
TLSH T1DD14D00B67A631F8F2768278C8508A59E776B47502619F5F07F003AA1F176D18E3EF22
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:b80777 dropped-by-amadey exe SVCStealer


Avatar
Bitsight
url: http://196.251.107.23/7x.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
146
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-27 21:02:39 UTC
Tags:
auto-sch stealer clipper diamotrix
Link:
https://app.any.run/tasks/783e2ed5-2645-432d-9cf7-29fcfe303889

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41684/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.46363163.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6928bc8c6657e34332819b76
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6928bc90efb205635357ddcd/reports/73b3add5-b3b2-49ef-a2a3-54570809295a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-27T18:19:00Z UTC
Last seen:
2025-11-28T00:49:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Win32.Agent.sb Trojan.Win64.Agent.sb VHO:Trojan-Banker.Win32.ClipBanker.agcc Trojan.Gatak.TCP.C&C VHO:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Lumma.HTTP.C&C Trojan-Spy.Agent.HTTP.C&C PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Shellcode.ikj VHO:Backdoor.Win32.Androm.gen PDM:Trojan.Win32.Tasker.cust HEUR:Trojan-Banker.Win32.ClipBanker.gen Backdoor.Win32.Zegost.sb Trojan-Banker.Win32.ClipBanker.sba HEUR:Trojan-PSW.Win32.Lumma.gen VHO:Trojan-Ransom.Win32.Blocker.gen Trojan.Win32.Agent.sb HEUR:HackTool.Win32.Inject.heur Trojan.Win32.Shellcode.sb Trojan-PSW.Win32.StealC.v2
Link:
https://opentip.kaspersky.com/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f9989832-9e24-4969-87ef-31d0ba77b976
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/5dd3d8ab517307ba78902ea39f88dfab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342/
Verdict:
Malicious
Threat:
Family.SVCSTEALER
Link:
https://tip.neiki.dev/file/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-27 21:03:14 UTC
File Type:
PE+ (Exe)
AV detection:
13 of 36 (36.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwclotym6jnguyhvv5xjkg7u7uhbfnrxbgcqiv3xki266vnacnba._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
svcstealer
Create hunting rule
Similar samples:
01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec
SVCStealer
3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
SVCStealer
56959a09e1bb6799616a68b051e8ace12bba95ccca5818b7b216d4eb25fb2c40
SVCStealer
76884d65172a609ec6a3ef5594c1c98ec1dc5c3b429ce4e788a71a79d6ff8b7f
SVCStealer
860704e66a998d3d77061e79b39ce90339d8e6ff4637559542fea06f519f82a5
SVCStealer
885e224fb1485b2bb4610fb44bf9f288018f69e66627bddad7f6a30210dbd7df
SVCStealer
9718c621907b1aafada7dfbd980e6feba50cf5238c2215c2268f8d2d7125d030
SVCStealer
9c2647c32c2a546150e6afc4fb8148b1af3939ff7ae2e45c3db5e31fd021b259
SVCStealer
ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
SVCStealer
error
SVCStealer
+ 92 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer discovery downloader execution installer persistence spyware stealer
Link:
https://tria.ge/reports/251127-zv288sdk7s/
Behaviour
Checks processor information in registry
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects SvcStealer Payload
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://158.94.208.102/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/288d97e5-9c3e-441c-b700-69fbf4693503
Unpacked files
SH256 hash:
b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342
MD5 hash:
5dd3d8ab517307ba78902ea39f88dfab
SHA1 hash:
c146bd5e292741262e756d9bd8d42e700315d198
Link:
https://www.unpac.me/results/6923805e-c896-4b52-9f2f-7781851a1649/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b584b74f0cf2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe b584b74f0cf25a6a60f5af6e951bf4fd0e12b63709850457775235ef55a01342

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3718189/
Cape
Cape
https://www.capesandbox.com/analysis/41684/

Comments