MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9
SHA3-384 hash: 7b4cf42818585e12026a7e6b472bf97a0d0168e0e530b0520220e51da1cc2c2931d5430d27d8e463ac15e8dbc1e665b1
SHA1 hash: 342376bf7b63e62ba57c69df68b1cf0e5ececa27
MD5 hash: 91763fd6a0da2fb89df38b3ed2ee1f69
humanhash: four-video-carolina-uniform
File name:file
Download: download sample
Signature SVCStealer
Create hunting rule
File size:275'968 bytes
First seen:2026-01-01 20:38:05 UTC
Last seen:2026-01-01 20:41:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0abae44faabc72ddc9922e5b949eaafa (1 x SVCStealer, 1 x Stealc)
ssdeep 6144:CZVkCIQMIQzzQ25XqH+ADmHbXJpxaEK+CS:CPkCIxIQz1qiLjkS
Threatray 14 similar samples on MalwareBazaar
TLSH T1CE449E22B8929132D6AA487598F5DBB58E3EBC510B6216D773C03FBF89305D0AF34B15
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 04beb2bebababa00 (2 x Stealc, 1 x SVCStealer)
Reporter Bitsight
Tags:dropped-by-amadey e3db0b exe SVCStealer


Avatar
Bitsight
url: http://62.60.226.159/update.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
116
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-01 20:38:34 UTC
Tags:
stealer stealc loader auto-reg crypto-regex auto-sch auto generic arch-doc
Link:
https://app.any.run/tasks/5aba0ec3-4ab8-43ec-943f-a28e7bada898

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46859/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6956db36d2357cccc3de8333
Tags:
vmdetect autorun emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autorun fingerprint lolbin microsoft_visual_cc update
Link:
https://www.filescan.io/uploads/6956db35148c21e830ef3c19/reports/633a294f-5e82-4170-8711-b2747bbc1adf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-01T17:43:00Z UTC
Last seen:
2026-01-03T05:33:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan-Downloader.Win32.Bazloader.gen Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Agent.sb Trojan-PSW.Win32.StealC.v2 Trojan.Win32.Gatak.goh PDM:Exploit.Win32.Generic Trojan-Spy.Agent.HTTP.C&C Trojan.Gatak.TCP.C&C Trojan.Patched.HTTP.ServerRequest Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.Express.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Scar.HTTP.C&C PDM:Trojan.Win32.Tasker.cust Trojan-Downloader.Win32.Dapato Trojan-Downloader.Win32.Bazloader.sb Trojan.Win32.Inject.sb HEUR:Worm.Win32.Generic HEUR:Trojan.Win32.Generic VHO:Trojan-PSW.Win32.StealC.gen Trojan-Banker.Win32.ClipBanker.agqu Trojan.Win32.Vimditator.sb HEUR:HackTool.Win32.Inject.heur Trojan.Win32.Udochka.sb VHO:Trojan-PSW.Win32.Convagent.gen VHO:Trojan-Banker.Win32.ClipBanker.gen Trojan-Downloader.Win32.Bazloader.hb Trojan.Win32.Agent.sb Trojan-Downloader.Bazloader.HTTP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.Udochka.dcj HEUR:Trojan-Banker.Win32.ClipBanker.gen Backdoor.Win32.Androm Trojan.Snojan.HTTP.C&C MEM:Trojan.Win32.Cometer.gen
Link:
https://opentip.kaspersky.com/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/32a9c560-12b5-4467-84d0-4408e5fa318b
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/91763fd6a0da2fb89df38b3ed2ee1f69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2026-01-01 20:38:15 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yz4b4kzzdjpg7djiik7mouv6vnutdnaesddxb7x6vqb4ddmik4q._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
SVCStealer
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
SVCStealer
a2218af43cad32ab30859e208456a61dfdbd1c0943a6146d97ce540dc44e214e
SVCStealer
ade2250e11f484491810cf2c6975ca728123c650c9306bc6987f5f4a378a01c6
SVCStealer
d898bd013497daf22a83fd7a0d13022336bad30ca1bf7803f0a644b538b12e14
SVCStealer
error
SVCStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:svcstealer botnet:crypt defense_evasion discovery downloader execution installer persistence spyware stealer upx
Link:
https://tria.ge/reports/260106-k7mxrayqat/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects SvcStealer Payload
Modifies visibility of file extensions in Explorer
Stealc
Stealc family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://196.251.107.23
Verdict:
Malicious
Tags:
JS_Nemucod
YARA:
n/a
Link:
https://app.threat.zone/submission/602f3ec1-e80d-484b-9728-3238bd3fdbda
Unpacked files
SH256 hash:
fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9
MD5 hash:
91763fd6a0da2fb89df38b3ed2ee1f69
SHA1 hash:
342376bf7b63e62ba57c69df68b1cf0e5ececa27
Link:
https://www.unpac.me/results/c0ba5cf1-8975-40f5-8e78-fe4e8ffe0180/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe33c0f159c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SVCStealer

Executable exe fe33c0f159c8d2f37c694215f63a95f55b498da024863b87f7f5601e0c6c42b9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46859/
  
URLhaus
https://urlhaus.abuse.ch/url/3737970/

Comments