MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
SHA3-384 hash: 490bbeaaf28cbae99e794c9861888413ae9d503cf7228b6d3c59ec29e404a648174ba4c7692dcbba80332d12bb78a8e0
SHA1 hash: 83571db9946d8d48e63300226a0155cefa7db190
MD5 hash: 07585ae5f3f488e6a2bbbdd258d0d388
humanhash: march-vegan-freddie-tennis
File name:07585ae5f3f488e6a2bbbdd258d0d388.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:214'632 bytes
First seen:2025-12-14 11:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f35919722d8dcde279077a8460e70b83 (8 x SVCStealer, 2 x Stealc, 1 x Amadey)
ssdeep 3072:BaD7X/FESbmI3UGxTcxO1AEV8evlW11VWvf2Jo7ggbRPhQbeDV0:oX/FFbDUMtaeNW1PWvf2upoeG
Threatray 177 similar samples on MalwareBazaar
TLSH T17324CF1923B670B9F1B7C274C841564AE7F678510E209F7F03A046992EE76917E3EF22
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
amadey
Create hunting rule
ID:
1
File name:
07585ae5f3f488e6a2bbbdd258d0d388.exe
Verdict:
Malicious activity
Analysis date:
2025-12-14 11:43:08 UTC
Tags:
auto-sch stealer clipper diamotrix stealc auto-reg loader auto amadey botnet offloader svc crypto-regex rdp upx
Link:
https://app.any.run/tasks/54821b67-2e3f-4c01-9938-10e61c3c2ebc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44610/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693ea297039c1dfc73392321
Tags:
virus
Verdict:
Malicious
Labled as:
Trojan_Win64_SvcStealer_RJP_MTB
Link:
https://www.hybrid-analysis.com/sample/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-27T20:36:00Z UTC
Last seen:
2025-12-15T00:39:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Zegost.sb VHO:Trojan-PSW.Win32.Convagent.gen Trojan-Banker.Win32.ClipBanker.agcf Trojan-Banker.Win32.ClipBanker.afyq Trojan.Win32.Agent.sb HEUR:HackTool.Win32.Inject.heur Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Pycoon.sb Trojan-Dropper.Win32.Dapato.sb PDM:Trojan.Win32.Tasker.cust Trojan-Downloader.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-Banker.Win32.ClipBanker.sba PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win64.StealC.sb HEUR:Trojan-PSW.Win32.Lumma.gen HEUR:Trojan-Banker.Win32.ClipBanker.gen Trojan.Gatak.TCP.C&C Trojan-PSW.Win32.StealC.v2 Trojan-Banker.Win32.ClipBanker.sb Trojan.Win64.Agent.sb
Link:
https://opentip.kaspersky.com/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/41b00306-527f-4739-a64a-439ac58f7987
Result
Threat name:
Amadey, Clipboard Hijacker, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832403
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832403 Sample: kvO7m8Tc5J.exe Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 153 www.google.com 2->153 161 Suricata IDS alerts for network traffic 2->161 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 16 other signatures 2->167 11 kvO7m8Tc5J.exe 1 2 2->11         started        15 33EE.tmp.exe 2->15         started        17 ebecabcdbbbdc.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 143 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 11->143 dropped 207 Injects code into the Windows Explorer (explorer.exe) 11->207 209 Uses schtasks.exe or at.exe to add and modify task schedules 11->209 211 Writes to foreign memory regions 11->211 21 explorer.exe 55 41 11->21 injected 26 schtasks.exe 1 11->26         started        28 schtasks.exe 1 11->28         started        213 Allocates memory in foreign processes 15->213 215 Creates a thread in another existing process (thread injection) 15->215 217 Injects a PE file into a foreign processes 15->217 30 schtasks.exe 15->30         started        219 Antivirus detection for dropped file 17->219 221 Multi AV Scanner detection for dropped file 17->221 32 schtasks.exe 1 17->32         started        223 Contains functionality to start a terminal service 19->223 225 Found direct / indirect Syscall (likely to bypass EDR) 19->225 34 schtasks.exe 1 19->34         started        signatures6 process7 dnsIp8 155 158.94.208.102, 49716, 49717, 49719 JANETJiscServicesLimitedGB United Kingdom 21->155 157 178.16.53.7, 49720, 49740, 49744 DUSNET-ASDE Germany 21->157 159 3 other IPs or domains 21->159 135 C:\Users\user\AppData\Local\...\DA2.tmp.exe, PE32 21->135 dropped 137 C:\Users\user\AppData\Local\...\8307.tmp.exe, PE32 21->137 dropped 139 C:\Users\user\AppData\Local\...\6F9A.tmp.exe, PE32 21->139 dropped 141 12 other malicious files 21->141 dropped 185 System process connects to network (likely due to code injection or exploit) 21->185 187 Benign windows process drops PE files 21->187 189 Found API chain indicative of debugger detection 21->189 191 3 other signatures 21->191 36 DA2.tmp.exe 21->36         started        40 6F9A.tmp.exe 21->40         started        42 5B35.tmp.exe 21->42         started        54 6 other processes 21->54 44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        file9 signatures10 process11 file12 121 C:\Users\user\Videos\Update.exe, PE32 36->121 dropped 123 C:\Users\user\Update.exe, PE32 36->123 dropped 125 C:\Users\user\Searches\Update.exe, PE32 36->125 dropped 133 42 other malicious files 36->133 dropped 169 Multi AV Scanner detection for dropped file 36->169 171 Drops PE files to the document folder of the user 36->171 173 Drops PE files to the user root directory 36->173 56 5_3923140.exe 36->56         started        59 4_3919906.exe 36->59         started        61 3_3916531.exe 36->61         started        72 2 other processes 36->72 127 C:\Users\user\AppData\Local\...\6F9A.tmp.tmp, PE32 40->127 dropped 175 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->175 63 6F9A.tmp.tmp 40->63         started        129 C:\Users\user\AppData\Local\...\5B35.tmp.tmp, PE32 42->129 dropped 66 5B35.tmp.tmp 42->66         started        131 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 54->131 dropped 177 Found many strings related to Crypto-Wallets (likely being stolen) 54->177 179 Injects code into the Windows Explorer (explorer.exe) 54->179 181 Tries to harvest and steal browser information (history, passwords, etc) 54->181 183 6 other signatures 54->183 68 syshost.exe 54->68         started        70 schtasks.exe 54->70         started        74 4 other processes 54->74 signatures13 process14 file15 193 Multi AV Scanner detection for dropped file 56->193 195 Injects code into the Windows Explorer (explorer.exe) 56->195 197 Writes to foreign memory regions 56->197 205 3 other signatures 56->205 76 schtasks.exe 56->76         started        78 syshost.exe 59->78         started        199 Found direct / indirect Syscall (likely to bypass EDR) 61->199 145 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->145 dropped 147 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 63->147 dropped 81 6F9A.tmp.exe 63->81         started        149 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 66->149 dropped 151 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 66->151 dropped 84 5B35.tmp.exe 66->84         started        201 Contains functionality to start a terminal service 68->201 203 Unusual module load detection (module proxying) 68->203 86 conhost.exe 70->86         started        88 conhost.exe 74->88         started        90 conhost.exe 74->90         started        92 conhost.exe 74->92         started        signatures16 process17 file18 94 conhost.exe 76->94         started        227 Contains functionality to start a terminal service 78->227 229 Found direct / indirect Syscall (likely to bypass EDR) 78->229 117 C:\Users\user\AppData\Local\...\6F9A.tmp.tmp, PE32 81->117 dropped 96 6F9A.tmp.tmp 81->96         started        119 C:\Users\user\AppData\Local\...\5B35.tmp.tmp, PE32 84->119 dropped 99 5B35.tmp.tmp 84->99         started        signatures19 process20 file21 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 96->101 dropped 103 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 96->103 dropped 105 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 96->105 dropped 113 11 other malicious files 96->113 dropped 107 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 99->107 dropped 109 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 99->109 dropped 111 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 99->111 dropped 115 11 other malicious files 99->115 dropped
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/07585ae5f3f488e6a2bbbdd258d0d388
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 01:27:10 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x63mm7wthqu7jq36rv2jw46ir2uunhrcsuwxluomtedaksweo5zq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
unc_loader_073
Create hunting rule
Similar samples:
60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6
SVCStealer
79b120acdb37fd5b5fa927a6ffb370d5a7cbc8039f2e9b31831029d0f16bc38b
SVCStealer
9b7ebcd4b27ace0f237f2ccab58503340be62a43112f9c537d16f42d40abb715
SVCStealer
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
SVCStealer
error
SVCStealer
f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
SVCStealer
+ 167 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer discovery downloader execution installer persistence spyware stealer upx
Link:
https://tria.ge/reports/251214-nt3mtsfj4s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://158.94.208.102/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bd49d7be-a427-4441-b473-092c4e607b3e
Unpacked files
SH256 hash:
bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
MD5 hash:
07585ae5f3f488e6a2bbbdd258d0d388
SHA1 hash:
83571db9946d8d48e63300226a0155cefa7db190
Link:
https://www.unpac.me/results/d0259102-a583-4ea2-bf38-7f61391ebd85/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfb6c67ed33c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44610/

Comments