MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
SHA3-384 hash: 8c7ae289a3fa390187a623adfacd3d01d7dc6d76a7785ec8579bdd799f28a5c4e39a41608eb5f977c204fd73e1e150bd
SHA1 hash: 9fd7832a9f25a880333902af15101c9e716156b4
MD5 hash: 5547d9f8c74f8de260394205b0045ee8
humanhash: pizza-quiet-artist-don
File name:SecuriteInfo.com.Trojan.Dridex.1505.11765.2335
Download: download sample
Signature SVCStealer
Create hunting rule
File size:202'240 bytes
First seen:2025-12-01 13:33:29 UTC
Last seen:2025-12-01 14:53:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d20241135260a6283527b95f11fc551 (1 x Amadey, 1 x SVCStealer)
ssdeep 3072:GLkiHgZn7CNFBneOI7Aeq63oNZ4rKypSiDX9I24+lgNd+s0PWMelS:GLkiHC7JOI7+5Z4rWk9IHDd+sUK
Threatray 105 similar samples on MalwareBazaar
TLSH T147148C243680C072E4B7027145FC9B32597DBE620BB156DBB3E80F9D8AB45D26B31767
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
6
# of downloads :
89
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Dridex.1505.11765.2335
Verdict:
Malicious activity
Analysis date:
2025-12-01 13:36:08 UTC
Tags:
stealc stealer auto-reg clipper diamotrix crypto-regex loader
Link:
https://app.any.run/tasks/44b50c39-7491-4b91-a8b3-55911da3f8e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42009/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692d9957c908fdc697475751
Tags:
downloader trojan packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request to an infection source
Sending an HTTP POST request
Enabling the 'hidden' option for files in the %temp% directory
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Creating a file in the mass storage device
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a system process
Enabling threat expansion on mass storage devices
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug autorun fingerprint lolbin microsoft_visual_cc update zusy
Link:
https://www.filescan.io/uploads/692d995462c326be4c7c1bc9/reports/80287202-28ee-414b-9fe9-70baef1d6c57/overview
Verdict:
Malicious
Labled as:
Worm/SillyShareCopy
Link:
https://www.hybrid-analysis.com/sample/c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
Result
Gathering data
Verdict:
Unknown
File Type:
exe x32
Link:
https://opentip.kaspersky.com/c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70d1949d-c964-4a99-825b-4cb7325c2c06
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/5547d9f8c74f8de260394205b0045ee8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yoavhjeww2zjppfsnavvnpp55swptvghfoyepehy4z36xchvbxda._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
16b1301aecdd958a7c899ab6f0839b1842e68abd0eb9f9ea6c2a8d652fdfc1ce
SVCStealer
34916f068c8e1bd60b49c89051178b88e322967669975683bcaf7b635f0a058a
SVCStealer
3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
SVCStealer
c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
SVCStealer
dbfd1a47a0108c7075c813c498abcf4857109e72207eeb86f435e535a4e2ed8f
SVCStealer
ec71e978e1b6a9f3b598bc5329fa4f29ef602bd9a4993844d18c93e2d46eccc9
SVCStealer
error
SVCStealer
+ 95 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:svcstealer botnet:vvc discovery downloader installer persistence spyware stealer upx
Link:
https://tria.ge/reports/251201-qt7mwsymfz/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops autorun.inf file
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects SvcStealer Payload
Stealc
Stealc family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23
Verdict:
Malicious
Tags:
JS_Nemucod
YARA:
n/a
Link:
https://app.threat.zone/submission/ba3d0daf-a150-47e7-b89e-43ad41d58f18
Unpacked files
SH256 hash:
c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6
MD5 hash:
5547d9f8c74f8de260394205b0045ee8
SHA1 hash:
9fd7832a9f25a880333902af15101c9e716156b4
Link:
https://www.unpac.me/results/6e165b94-e169-4e58-8692-f99e30c6ac55/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c38153a496b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe c38153a496b6b297bcb2682b56bdfdecacf9d4c72bb04790f8e677eb88f50dc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3722200/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42009/

Comments