MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6
SHA3-384 hash: ecb6a2fc385b7efaa280d86a34ea8590257e84b44d80800d350ccdfb916946dc0e890cf38f8345733ea103b93f60814e
SHA1 hash: 0cb5fe24a9d566578b0a6c24871c0f8cd6edf4c9
MD5 hash: 5078110bf170f782324893c535036b7e
humanhash: wyoming-asparagus-stairway-carbon
File name:svchost.exe
Download: download sample
Signature Simda
Create hunting rule
File size:92'820 bytes
First seen:2025-11-23 09:21:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 520c130e82cbe6120da2d52c754c2522 (39 x Simda, 1 x XWorm)
ssdeep 1536:L843cqTzCA2PYi+4RFjD4NeX8jIokzah2lPYEWpwPZrmDy5JFfnj9kYfsyLb5:LJTfR2L+CRDeeXrz9lwEWGs23xsyL9
TLSH T18893E0631B0C197AD9150F7B1ABAFB2171BBA4541333D6E30B009A6E6E233C6BD39745
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Hexastrike
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
11
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40370/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6922da5c140de26f6c2c8f9c
Tags:
injection obfusc simda
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/6922d737f96b58f0dc80b206/reports/861c6500-1b92-4b12-a126-2c36e5c6998e/overview
Verdict:
Malicious
Labled as:
Trojan.EmotetU.Generic
Link:
https://www.hybrid-analysis.com/sample/4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/5078110bf170f782324893c535036b7e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2025-11-21 13:08:46 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jk4uownn7p5lwat7fxismlto5s6nhcztnxvb5hovwrkqvcczi23a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251123-lp4cfsykek/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/35580572-64e2-4560-b6eb-b1e29e26ea2e
Unpacked files
SH256 hash:
4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6
MD5 hash:
5078110bf170f782324893c535036b7e
SHA1 hash:
0cb5fe24a9d566578b0a6c24871c0f8cd6edf4c9
Link:
https://www.unpac.me/results/e75568be-f2a5-49a5-a078-09f1b5f9207e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ab94759adfbfabb027f2dd1262e6eecbcd38b336dea1e9dd5b4550a885946b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40370/

Comments