MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
SHA3-384 hash: 49b6a6088b72a8eab81cf53727c8f483604d91f94ca601e64493d6cfa59f5fce4ebab8a7e39be1b972ea8e72792b5ede
SHA1 hash: 7a7b77b017111fbe515b69b36776f3bcce8d1b97
MD5 hash: e9d5e5ae99fd339f19c475246fdaac66
humanhash: east-winner-sierra-fruit
File name:5.exe
Download: download sample
Signature SVCStealer
Create hunting rule
File size:168'960 bytes
First seen:2026-04-13 12:42:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58e55310d66c611cb140f28166224b10 (2 x SVCStealer, 1 x Amadey, 1 x XTinyLoader)
ssdeep 3072:H7nVDG7iPEC7P6Tx5TksYq2KCTzo9I/A++3lJ+56Kpv/f:VG7iPECL6TTTtjE4I/B+7rA
Threatray 37 similar samples on MalwareBazaar
TLSH T166F36E0A335460F4E17B9278CDA25B46E7B2787A17B1634E437843BA5F33251AE3D322
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe SVCStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
TinyLoader
Details
TinyLoader
xor decoded strings including cryptocurrency addresses and a c2 url
Link:
https://research.acce.ciphertechsolutions.com/results/95a96436-c1d2-419a-9c25-a6d78809aeba/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
5.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 12:43:06 UTC
Tags:
auto-reg amadey botnet stealer
Link:
https://app.any.run/tasks/bc6cb2cf-44ce-4c6b-b83d-3cbbaadf982c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61369/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dce4b345787c53e539469c
Tags:
vmprotect autorun emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/69dce4af5ea31bc68a2607f7/reports/332f5419-b691-4d3a-b4e7-5f6d0fb3baca/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-12T14:30:00Z UTC
Last seen:
2026-04-14T07:33:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan.Win64.Generic
Link:
https://opentip.kaspersky.com/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/841847bf-affd-45eb-97f0-1b6b06390da2
Result
Threat name:
Clipboard Hijacker, GO Stealer, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897325
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Drops PE files to the user root directory
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected GO Stealer
Yara detected RedLine Stealer
Yara detected Stealc v2
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897325 Sample: 5.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 119 t.213891.xyz 2->119 121 tracker.qingwapt.org 2->121 123 10 other IPs or domains 2->123 139 Suricata IDS alerts for network traffic 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 147 17 other signatures 2->147 11 5.exe 1 4 2->11         started        15 WinTelemetry.exe 2->15         started        17 updater.exe 2->17         started        19 lhkug.exe 2->19         started        signatures3 145 Performs DNS queries to domains with low reputation 119->145 process4 file5 105 C:\ProgramData\lhkug.exe, PE32+ 11->105 dropped 187 Creates multiple autostart registry keys 11->187 21 lhkug.exe 19 11->21         started        107 C:\Windows\System32\...\WinTelemetry.exe, PE32+ 15->107 dropped 189 Multi AV Scanner detection for dropped file 15->189 191 Creates files in the system32 config directory 15->191 193 Found direct / indirect Syscall (likely to bypass EDR) 15->193 signatures6 process7 dnsIp8 125 62.60.226.159, 49715, 49716, 49726 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 21->125 97 C:\Users\user\AppData\Local\...\VQJMQYWO.exe, PE32+ 21->97 dropped 99 C:\Users\user\AppData\Local\...99IJINJRK.exe, PE32+ 21->99 dropped 101 C:\Users\user\AppData\Local\...\MPZCHOFV.exe, PE32 21->101 dropped 103 3 other malicious files 21->103 dropped 175 Multi AV Scanner detection for dropped file 21->175 26 VQJMQYWO.exe 21->26         started        31 NIJINJRK.exe 21->31         started        33 KHKDKBKW.exe 2 21->33         started        35 3 other processes 21->35 file9 signatures10 process11 dnsIp12 127 t.213891.xyz 172.67.137.235, 443, 49757, 49772 CLOUDFLARENETUS United States 26->127 129 pybittrack.retiolus.net 37.27.218.237, 443, 49759, 49776 UNINETAZ Iran (ISLAMIC Republic Of) 26->129 135 8 other IPs or domains 26->135 109 C:\Users\user\AppData\...\WinTelemetry.exe, PE32+ 26->109 dropped 111 C:\Users\user\AppData\Local\Temp\tn_6.exe, PE32+ 26->111 dropped 113 C:\Users\user\AppData\Local\Temp\tn_5.exe, PE32+ 26->113 dropped 117 2 other malicious files 26->117 dropped 195 Multi AV Scanner detection for dropped file 26->195 197 Found direct / indirect Syscall (likely to bypass EDR) 26->197 37 tn_6.exe 26->37         started        41 tn_4.exe 26->41         started        43 tn_5.exe 26->43         started        45 tn_3.exe 26->45         started        199 Hijacks the control flow in another process 31->199 201 Writes to foreign memory regions 31->201 203 Allocates memory in foreign processes 31->203 217 4 other signatures 31->217 47 HelpPane.exe 23 31->47         started        115 C:\Users\user\updater.exe, PE32+ 33->115 dropped 205 Antivirus detection for dropped file 33->205 207 Drops PE files to the user root directory 33->207 209 Uses schtasks.exe or at.exe to add and modify task schedules 33->209 50 updater.exe 33->50         started        52 schtasks.exe 33->52         started        54 schtasks.exe 33->54         started        131 196.251.107.104, 1912, 49802, 49807 ANGANI-ASKE Seychelles 35->131 133 iuta.today 31.97.61.212, 49746, 8521 EELtdGB United Kingdom 35->133 211 Detected unpacking (creates a PE file in dynamic memory) 35->211 213 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->213 215 Query firmware table information (likely to detect VMs) 35->215 219 7 other signatures 35->219 file13 signatures14 process15 dnsIp16 81 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 37->81 dropped 83 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 37->83 dropped 85 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 37->85 dropped 95 52 other malicious files 37->95 dropped 149 Multi AV Scanner detection for dropped file 37->149 151 Detected unpacking (creates a PE file in dynamic memory) 41->151 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->153 155 Query firmware table information (likely to detect VMs) 41->155 167 4 other signatures 41->167 157 Creates multiple autostart registry keys 43->157 169 2 other signatures 43->169 56 schtasks.exe 45->56         started        137 196.251.107.130, 49717, 80 ANGANI-ASKE Seychelles 47->137 87 C:\Users\user\AppData\...\XC5q6giQu94R.exe, PE32+ 47->87 dropped 89 C:\Users\user\AppData\...\TxvRo58kcHam.exe, PE32+ 47->89 dropped 91 C:\Users\user\AppData\Local\...\zx[1].exe, PE32+ 47->91 dropped 93 C:\Users\user\AppData\Local\...\clpr[1].exe, PE32+ 47->93 dropped 159 Early bird code injection technique detected 47->159 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->161 163 Tries to steal Mail credentials (via file / registry access) 47->163 171 4 other signatures 47->171 58 chrome.exe 1 47->58         started        60 msedge.exe 47->60         started        62 msedge.exe 47->62         started        64 msedge.exe 47->64         started        165 Injects code into the Windows Explorer (explorer.exe) 50->165 173 2 other signatures 50->173 66 explorer.exe 50->66 injected 68 conhost.exe 52->68         started        70 conhost.exe 54->70         started        file17 signatures18 process19 process20 72 conhost.exe 56->72         started        74 FKIFJGHB.exe 66->74         started        77 FKIFJGHB.exe 66->77         started        79 lhkug.exe 66->79         started        signatures21 177 Injects code into the Windows Explorer (explorer.exe) 74->177 179 Writes to foreign memory regions 74->179 181 Allocates memory in foreign processes 74->181 183 Creates a thread in another existing process (thread injection) 77->183 185 Injects a PE file into a foreign processes 77->185
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
Threat name:
Win64.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-12 20:54:36 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5icrs7qmhp5xzjdbcrv47osbpa2ls6uw2krehf6xix7a6sd6lvmq._file
Verdict:
malicious
Label(s):
unc_clipper_003
Create hunting rule
Similar samples:
13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
SVCStealer
1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
SVCStealer
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
SVCStealer
7b2620cf008268fa8eff18c136ca020fa948634e646f7301ab48a5dd936033fd
SVCStealer
7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
SVCStealer
8f9e7b559aa9c2aedc0453bde8ac2eb966d00e43fd9fbdbfe50fba5591020887
SVCStealer
bed6af9ba6758303763a09b019dee3c61dcc3a5bbd3af631bcdbcf74b63f23c0
SVCStealer
error
SVCStealer
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260413-pxhx9sgt9w/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
MD5 hash:
e9d5e5ae99fd339f19c475246fdaac66
SHA1 hash:
7a7b77b017111fbe515b69b36776f3bcce8d1b97
Link:
https://www.unpac.me/results/dd832517-f082-4507-9e75-47df3dfe19d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea05197e0c3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3722451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61369/

Comments