MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
SHA3-384 hash: d34ba6a9b35d31aacfa4a3d37894ad0fa45beb50e78650af60352b16fa1ba63b6e41120a928e25738b400c3b514f04df
SHA1 hash: b394c1340b7085a684ee68933fe81e1292dd1f95
MD5 hash: 3ac66a8cfa2641b2544c0a814be2f135
humanhash: vermont-september-venus-emma
File name:svchost.exe
Download: download sample
Signature Simda
Create hunting rule
File size:220'672 bytes
First seen:2025-11-23 09:17:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc654781844d06a6ccaad40505274c80 (3 x Simda)
ssdeep 6144:U+Gupq7CAM0TDJZJ8uMYG83Qnqi9p07Sl:U+GmwCt0PWNsJiK
TLSH T11B241202A7EF1CACD55F093B67772323D379E2720E70EF96481C185D7CAA14C7A885A2
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Hexastrike
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
Simda
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40125/
Detection(s):
Win.Trojan.Agent-316113
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6922d321140de26f6c2c881a
Tags:
simda shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Searching for the anti-virus window
Moving of the original file
Query of malicious DNS domain
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypt fingerprint packed xpack
Link:
https://www.filescan.io/uploads/6922d25b5d3feebe12d80e37/reports/1613f04d-b98c-479f-9681-2432374a66c8/overview
Verdict:
Malicious
Labled as:
FKP..Generic
Link:
https://www.hybrid-analysis.com/sample/0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
Result
Gathering data
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/3ac66a8cfa2641b2544c0a814be2f135
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a/
Threat name:
Win32.Backdoor.Simda
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 01:51:06 UTC
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5drxn3ynvhfg3bjcjkqdbjro3hw5dp5gesnh7blbf5royylojva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251123-lb81saxqdq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Trojan.Agent-316113
YARA:
n/a
Link:
https://app.threat.zone/submission/1fbfcfc0-8009-4890-9573-1c133a9beab4
Unpacked files
SH256 hash:
0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
MD5 hash:
3ac66a8cfa2641b2544c0a814be2f135
SHA1 hash:
b394c1340b7085a684ee68933fe81e1292dd1f95
Link:
https://www.unpac.me/results/e9d8b50c-6b86-4a64-b58b-b4c7f7692a80/
SH256 hash:
26ec8b525a08465f3e6f49efd2371d4030b4b263e9a9569dfe760b63aaafb913
MD5 hash:
354481bcf9c0ed8ab73b058c654fde29
SHA1 hash:
7959aba8959e831adfeb9eb2d737e04ffb5e4451
Detections:
win_simda_auto
Create hunting rule
win_simda_g1
Create hunting rule
win_simda_g0
Create hunting rule
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/e9d8b50c-6b86-4a64-b58b-b4c7f7692a80/
SH256 hash:
322f63d0851e889e99434edf4f7c53d7fa12e3b498351f990ded1e9f36064b88
MD5 hash:
5df054299e2db5985d259c900a37c120
SHA1 hash:
0558896d32dff784d5236e5fa4281b9c1d37b556
Detections:
win_simda_auto
Create hunting rule
win_simda_g1
Create hunting rule
win_simda_g0
Create hunting rule
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/e9d8b50c-6b86-4a64-b58b-b4c7f7692a80/
Parent samples :
0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
52d7c0f1ae0c82b9140ff3127f8f08027215f6ed105c279d9aee13a6be480d61
7b19dd7f9df99cd0398810b9acf7d6b6802e72dc23aa67c5f5915a12c331cf9a
8adb46826e5c5633155ab1ceb3c82a640791d3b0a0aeb937e60669a8a06592e3
8f6d10b78e423ffcfacabe30923900a07427031bdbf2a55a59363d516e5a6cb0
SH256 hash:
1ffc71ed90e88a85721b2097cf961b1f18113b62c8eb061512b0ab09f585d0c9
MD5 hash:
d8698abc0d741dc812006def6e5f0bb4
SHA1 hash:
a95ba595cc5270723a4691d6655ed2bed2b908af
Detections:
win_simda_auto
Create hunting rule
win_simda_g1
Create hunting rule
win_simda_g0
Create hunting rule
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/e9d8b50c-6b86-4a64-b58b-b4c7f7692a80/
Parent samples :
0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a
52d7c0f1ae0c82b9140ff3127f8f08027215f6ed105c279d9aee13a6be480d61
7b19dd7f9df99cd0398810b9acf7d6b6802e72dc23aa67c5f5915a12c331cf9a
8adb46826e5c5633155ab1ceb3c82a640791d3b0a0aeb937e60669a8a06592e3
8f6d10b78e423ffcfacabe30923900a07427031bdbf2a55a59363d516e5a6cb0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/0f471bb7786d4e536c29125501853176cf6e8dfd3124d3fc2b097b17630b726a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40125/

Comments