MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293
SHA3-384 hash: ecde2fd965bd3466323496046875c3c9e9386fb5b1cbf4ce0ff3082ff2e1fcc482eaf5887a5c0b02a1ce6ffd7974648b
SHA1 hash: 450c9c37d5b262f7e0230c8235f0031d1f632b9b
MD5 hash: 47293d99962eee46f45384ad95b77ef3
humanhash: twelve-fix-mango-ack
File name:47293d99962eee46f45384ad95b77ef3.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:509'440 bytes
First seen:2025-12-25 12:37:12 UTC
Last seen:2025-12-31 08:38:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 78f0b9037223ba008b9e0f5ebe07069b (5 x SVCStealer, 1 x SVC)
ssdeep 6144:hMhyzNBvnRVjnT2XvZgXXvWsIvWX+qYl2b27UGjY960Q+P5WKnttFX+HAbKZxGzr:ayzNxzVaWX+n7Lm4+PE+tj+gb8cz3ko
TLSH T177B4C049366410B9E86B813CC9578A46F6F2785A077093CF13A487BA5F3BBE19A3D311
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.6% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
8
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
KINS
Details
KINS
possibly: configuration data including urls and a missionid, cryptocurrency addresses, and extracted components
Link:
https://research.acce.ciphertechsolutions.com/results/7aac3ed5-da20-4d8a-80b1-6b03b8d22fa5/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-24 22:46:35 UTC
Tags:
auto-reg stealc stealer auto-sch python crypto-regex svcstealer
Link:
https://app.any.run/tasks/ced7cdf6-e58a-4d07-92f1-35064bc07ee9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46047/
Detection(s):
Win.Downloader.Marte-10058294-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694d300f038f10550b558dfd
Tags:
downloader dropper emotet virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug exploit explorer fingerprint lolbin packed
Link:
https://www.filescan.io/uploads/694d300784afa5547b5de434/reports/f314bfab-6313-4d95-ba4a-3ddf98ef0dfc/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-24T20:46:00Z UTC
Last seen:
2025-12-24T23:16:00Z UTC
Hits:
~100
Detections:
Trojan.Scar.HTTP.C&C Trojan.Gatak.TCP.C&C Trojan.Agentb.TCP.C&C Trojan-PSW.Win32.Lumma.yiv Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Backdoor.Win32.Androm VHO:Trojan-Banker.Win32.ClipBanker.gen VHO:Backdoor.Win32.Androm.gen Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Gomal.sb Trojan.Win64.Agent.sb Trojan-PSW.Win32.Lumma.zgr Trojan-PSW.Win64.StealC.sb Trojan-PSW.Lumma.HTTP.C&C VHO:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Lumma.HTTP.Download PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.zad Trojan-Dropper.Win32.Dapato.sb Trojan-Downloader.Agent.HTTP.C&C Trojan-PSW.Win32.Lumma.yiu
Link:
https://opentip.kaspersky.com/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293/results?tab=lookup
Gathering data
Result
Threat name:
Amadey, Clipboard Hijacker, Stealc v2, S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1839319
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to send encrypted data to the internet
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1839319 Sample: oyPIuQSDd8.exe Startdate: 25/12/2025 Architecture: WINDOWS Score: 100 178 Suricata IDS alerts for network traffic 2->178 180 Found malware configuration 2->180 182 Malicious sample detected (through community Yara rule) 2->182 184 17 other signatures 2->184 14 oyPIuQSDd8.exe 2 1 2->14         started        18 synchost.exe 2->18         started        20 synchost.exe 2->20         started        22 2 other processes 2->22 process3 file4 150 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 14->150 dropped 240 Found evasive API chain (may stop execution after checking mutex) 14->240 242 Creates autostart registry keys with suspicious names 14->242 244 Creates multiple autostart registry keys 14->244 24 explorer.exe 90 14 14->24 injected 246 Injects code into the Windows Explorer (explorer.exe) 18->246 248 Writes to foreign memory regions 18->248 250 Allocates memory in foreign processes 18->250 29 schtasks.exe 18->29         started        252 Creates a thread in another existing process (thread injection) 20->252 254 Injects a PE file into a foreign processes 20->254 31 schtasks.exe 20->31         started        256 Contains functionality to start a terminal service 22->256 258 Found direct / indirect Syscall (likely to bypass EDR) 22->258 signatures5 process6 dnsIp7 154 62.60.226.159, 27015, 49696, 49698 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 24->154 156 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->156 130 C:\Users\user\AppData\Local\...\F8F3.tmp.exe, PE32+ 24->130 dropped 132 C:\Users\user\AppData\Local\...\A784.tmp.exe, PE32+ 24->132 dropped 134 C:\Users\user\AppData\Local\...\336A.tmp.exe, PE32+ 24->134 dropped 212 System process connects to network (likely due to code injection or exploit) 24->212 214 Benign windows process drops PE files 24->214 216 Unusual module load detection (module proxying) 24->216 33 336A.tmp.exe 2 24->33         started        37 A784.tmp.exe 24->37         started        39 synchost.exe 24->39         started        45 3 other processes 24->45 41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        file8 signatures9 process10 file11 116 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 33->116 dropped 186 Multi AV Scanner detection for dropped file 33->186 47 syshost.exe 40 33->47         started        188 Hijacks the control flow in another process 37->188 190 Writes to foreign memory regions 37->190 192 Allocates memory in foreign processes 37->192 202 3 other signatures 37->202 52 HelpPane.exe 37->52         started        194 Injects code into the Windows Explorer (explorer.exe) 39->194 196 Creates a thread in another existing process (thread injection) 39->196 198 Injects a PE file into a foreign processes 39->198 54 schtasks.exe 39->54         started        200 Found evasive API chain (may stop execution after checking mutex) 45->200 56 schtasks.exe 45->56         started        signatures12 process13 dnsIp14 158 158.94.208.102, 49704, 49710, 49715 JANETJiscServicesLimitedGB United Kingdom 47->158 160 178.16.53.7, 49703, 49709, 49722 DUSNET-ASDE Germany 47->160 104 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 47->104 dropped 106 C:\Users\user\AppData\...\scalable_8599.exe, PE32 47->106 dropped 108 C:\Users\user\AppData\Local\...\Loader.exe, PE32+ 47->108 dropped 114 14 other malicious files 47->114 dropped 164 Multi AV Scanner detection for dropped file 47->164 166 Contains functionality to start a terminal service 47->166 168 Unusual module load detection (module proxying) 47->168 58 11.exe 47->58         started        62 fobxyv.exe 47->62         started        64 synchost.exe 47->64         started        74 2 other processes 47->74 162 196.251.107.23, 49712, 80 ANGANI-ASKE Seychelles 52->162 110 C:\Users\user\AppData\...\synchost[1].exe, PE32+ 52->110 dropped 112 C:\Users\user\AppData\...\9owWXusMmTQq.exe, PE32+ 52->112 dropped 170 Early bird code injection technique detected 52->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 52->172 174 Contains functionality to inject code into remote processes 52->174 176 6 other signatures 52->176 66 chrome.exe 52->66         started        68 chrome.exe 52->68         started        70 conhost.exe 54->70         started        72 conhost.exe 56->72         started        file15 signatures16 process17 file18 136 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 58->136 dropped 138 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 58->138 dropped 140 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 58->140 dropped 146 47 other malicious files 58->146 dropped 218 Multi AV Scanner detection for dropped file 58->218 142 C:\Users\user\AppData\...\temp_24025.exe, PE32 62->142 dropped 144 C:\...\scalable_8599.9243.77_INSTALL[1].exe, PE32 62->144 dropped 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->220 222 Contains functionality to send encrypted data to the internet 62->222 224 Tries to harvest and steal browser information (history, passwords, etc) 62->224 226 Tries to steal Crypto Currency Wallets 62->226 76 temp_24025.exe 62->76         started        228 Antivirus detection for dropped file 64->228 230 Creates multiple autostart registry keys 64->230 232 Injects code into the Windows Explorer (explorer.exe) 64->232 234 5 other signatures 64->234 80 schtasks.exe 64->80         started        82 schtasks.exe 64->82         started        84 rundll32.exe 74->84         started        86 rundll32.exe 74->86         started        signatures19 process20 file21 148 C:\Users\user\AppData\...\temp_24025.tmp, PE32 76->148 dropped 236 Multi AV Scanner detection for dropped file 76->236 88 temp_24025.tmp 76->88         started        91 conhost.exe 80->91         started        93 conhost.exe 82->93         started        238 System process connects to network (likely due to code injection or exploit) 84->238 signatures22 process23 file24 126 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 88->126 dropped 128 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 88->128 dropped 95 temp_24025.exe 88->95         started        process25 file26 152 C:\Users\user\AppData\...\temp_24025.tmp, PE32 95->152 dropped 98 temp_24025.tmp 95->98         started        process27 file28 118 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 98->118 dropped 120 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 98->120 dropped 122 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 98->122 dropped 124 11 other malicious files 98->124 dropped 101 FnHotkeyUtility.exe 98->101         started        process29 signatures30 204 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 101->204 206 Injects code into the Windows Explorer (explorer.exe) 101->206 208 Writes to foreign memory regions 101->208 210 4 other signatures 101->210
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/47293d99962eee46f45384ad95b77ef3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293/
Verdict:
Malicious
Threat:
Family.SVCSTEALER
Link:
https://tip.neiki.dev/file/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293
Threat name:
Win64.Trojan.PowerLoader
Create hunting rule
Status:
Malicious
First seen:
2025-12-24 23:10:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44lp5tko2mwzbmoha7nfwqm4mwt6dwe3jzaw5zuxmwrxfha6gkjq._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:svcstealer botnet:crypted downloader execution persistence spyware stealer
Link:
https://tria.ge/reports/251225-pypr7svjek/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
Stealc
Stealc family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23
Verdict:
Malicious
Tags:
Win.Downloader.Marte-10058294-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1b9175cb-69f1-4704-b471-d32748c102d0
Unpacked files
SH256 hash:
e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293
MD5 hash:
47293d99962eee46f45384ad95b77ef3
SHA1 hash:
450c9c37d5b262f7e0230c8235f0031d1f632b9b
Detections:
win_sdbbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1376c865-189a-486c-a82f-b92a08dc3d21/
SH256 hash:
0963f044513d523292a340588f97d4d31fe4823a95e16a47a8217ee6e5581a70
MD5 hash:
53bac7df8377a7b1a68a6c52bfbfdd69
SHA1 hash:
82be4aa082a10be0b8ce6e74cb6e65b3b1bdd956
Link:
https://www.unpac.me/results/1376c865-189a-486c-a82f-b92a08dc3d21/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e716fecd4ed3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:win_sdbbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe e716fecd4ed32d90b1c707da5b419c65a7e1d89b4e416ee69765a3729c1e3293

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3721528/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46047/

Comments