MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
SHA3-384 hash:	e24da2af6fd79a78524ab3b2d03a966530e63d40fd083f730b1091f5e8e4d473784e0b831ffe611da66925db22606337
SHA1 hash:	b740edd181d29dd755a915de68d231b2c6b511fb
MD5 hash:	e333235d4687fad7d055a8d7a24430f6
humanhash:	uncle-uncle-solar-saturn
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	2'945'658 bytes
First seen:	2025-11-23 09:25:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5df9fb7e893bd2efa286b6326edce6 (6 x Simda)
ssdeep	6144:ZEQBDdO1z7L/EIhZDE9oLfFWlMZT7+DGaMwICm:ZEGDdQNHEwWlMxYG/wIJ
TLSH	T11ED50210F198A647E16F083A05A5E03A883F7C7A6F23673E5E0119C27EFA6D1D761B64
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 10:03:34 UTC

Tags:

anti-evasion auto-reg

Link:

https://app.any.run/tasks/7f262461-020d-4612-9c2b-1c67af191848

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40592/

Detection(s):

Win.Trojan.Shiz-661

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922dbf6140de26f6c2c9170

Tags:

injector virtool emotet remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Searching for the anti-virus window

Moving of the original file

Query of malicious DNS domain

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt fingerprint packed xpack

Link:

https://www.filescan.io/uploads/6922db3eb85aaef1c366a3b8/reports/0392d420-f164-4b53-a58d-71ebeb493d09/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/e333235d4687fad7d055a8d7a24430f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0/

Verdict:

Malicious

Threat:

Family.SIMDA

Link:

https://tip.neiki.dev/file/88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0

Threat name:

Win32.Backdoor.Simda

Status:

Malicious

First seen:

2025-11-23 09:17:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 36 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rd5m363h6oqzigjnvhdjbqpjazbbr6doscwn7yi4khbp3imcegya._file

Result

Malware family:

simda

Score:

10/10

Tags:

family:simda discovery persistence stealer trojan

Link:

https://tria.ge/reports/251123-l1wrratlay/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Simda family

simda

Verdict:

Malicious

Tags:

Win.Trojan.Shiz-661

YARA:

n/a

Link:

https://app.threat.zone/submission/bea2c328-67ea-41ca-a27d-165f1bc1c2a4

Unpacked files

SH256 hash:

88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0

MD5 hash:

e333235d4687fad7d055a8d7a24430f6

SHA1 hash:

b740edd181d29dd755a915de68d231b2c6b511fb

Link:

https://www.unpac.me/results/dc213994-7fab-427f-bdc7-b0de43b781b5/

SH256 hash:

a16023bfa756885f344b7bdfcf666974ae4a940892c1280c7dd396f4342f4889

MD5 hash:

f9fbf30e76b950ad8b2e33f4a46b17b8

SHA1 hash:

9ff48242e88ed44ac6ffe02cf63e4c5470eb813f

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/dc213994-7fab-427f-bdc7-b0de43b781b5/

SH256 hash:

426114af278a4787da870fcd4848e01cdf1ef81e593d37cfa04087c1965d67d3

MD5 hash:

35dae5c6320344e20b08042e8ca92938

SHA1 hash:

40d88b2e6e1da7af2dea44743942def2b0adc30b

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/dc213994-7fab-427f-bdc7-b0de43b781b5/

SH256 hash:

e3fa2bf915789a2aa46a56188922f7c6e40c460b5f13366225e6103869c7bcff

MD5 hash:

e50057fdcabc7dea7d8670da2add7b0d

SHA1 hash:

55925abdbf3b90d7b538f796c2d009ccd9e60279

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/dc213994-7fab-427f-bdc7-b0de43b781b5/

Parent samples :

dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
03336e55e9bc4f0ae61098eeb358c36cf558683c457e7ccce374a61335df36d0
0954d357412d7bcccb3e28d9760e621a7c32a34626fa7fff0f4c101de53ddd05
0bdb5f7f03b6be6ad31a7397d265535ae95c85271d0345c6331e296ffaa09f17
14164234fdf8d6cf6d08ad2b1a5341fcabf6ecea1dc159f87af4fe164ef7c74a
19b249c8c048de11213666ae13cc1c62635dda37cf2a41b696dc0f946362cacf
217d3556de75c6ae83f565aad46e73a7ab892f1cbe3d2b55aa70d2112181e110
2c2e74c219be5698372888cca337abaed31d50b438596830d4c9043c04d6dea8
35972590b79eabb7394fa147b3dd64a8f3f7f0bddb82c527d87f345215c00e30
48f84d7d505f3a2ce61baa8e56dd0838d0b81a0103db009bfd5596fb3f62af4d
535b682938ea8f9ff66d4c75cf9dee36060ba4caf9713cadd4638e4adddbdde2
53c1854d8132616a67e0aceaa012cb8b760e6205d433f0e01aec35ef81cd505c
552b60239027f24fbfacaf9d7497a318f4ae89898c60338f68fcac18327cea88
59d16811cc0a1c0caf3a05f043818b61e3e99c6df7476e91f8bb8fa30e188043
61d8fb1f75b5f2a16cd31e459ca8d6a98fbdaaa73fa12598b359615adc938bf4
632a95a51b95ba00d06df6881c06a766e6e8496ed2fa070b810adc4b96012bb5
7264095b75d31b7ed0b80ecaa36f80ffcbdcedeac4d49c2a70ec684ee070140e
8032eeaa6fb612a56ab09e7469e264e4bb9186a0321e0b10cabec3aaa39a5a2f
8447097cbe5deca77a965ba8fdaa19270af3a686c4d8c64a6c4fb997a41fed12
88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
8e2a2dc3cfb53da2352439b230ccf315c257ceb99e7c1cc99b48e41f435d7f51
9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
a13b480f8be5a52bcb8a128e5da1b8738356c62830d1964423d77657ca1c9f55
a624205430cc2c2bfbac3f26744bc741dece39dc1b40f2f9c298b2355846300f
ab2530727d9438d1a32da7379b5795eb4053af832f5254e3d04a6d33c9b9ebd9
ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
b0057b6c3a1c0b6da1c11ca0e74af354c848c6ce1f4abacbc9b44c32174619b1
b35935b1f0fc9cc104bd32a4e8410a6fe04e1b5b4ca714c918df55353435ef1a
b9cc8a804c0cc89e9f31c66e943408c76d35363ed664c87fe828efd0909ab87b
be8d0ec74025f2a531c7cc903be20131e47e2b54da9a0ed2a48af66d4cd66a74
bf279efd14dd25bcd0b9292c677df631b7d9520029e15f2d2b8cba49177fc3ef
c28b49bb5673deb40c8225c66e84a88306f2fc7be4e207a7cb668522e659ad2e
e3a917b9425e70c7fbe5e9c94578708ba62979569c18698a178d78dbc5f65c0e
eecfd380869328417580435ad8ac5db3b35ddfe2b0818e8e152218800178b468

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40592/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample