MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
SHA3-384 hash:	67dc61f8b659eb8c882ba8a95a2ca252bb1ad8e07498c4b83255212783999daf6a5ad1860a63410b8c85dd6b5eeb8dae
SHA1 hash:	2d88621b07d308e52fa79bac254131653ca3fc44
MD5 hash:	82f9847adb36529063ae2a4fedcc2e8e
humanhash:	batman-queen-blue-sweet
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	2'945'658 bytes
First seen:	2025-11-23 09:25:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5df9fb7e893bd2efa286b6326edce6 (6 x Simda)
ssdeep	6144:+EQBDdO1z7L/EIhZDE9oLfFWlMZT7+DGaMwICm:+EGDdQNHEwWlMxYG/wIJ
TLSH	T16ED50210F198A647E16F083A05A5E03A883F7C7A6F23673E5E0119C27EFA6D1D761B64
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40611/

Detection(s):

Win.Trojan.Shiz-661

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Searching for the anti-virus window

Moving of the original file

Query of malicious DNS domain

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt fingerprint packed xpack

Link:

https://www.filescan.io/uploads/6922dba1f96b58f0dc80b51c/reports/7223b7d6-23ba-4bb8-a510-caf5627f7406/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/82f9847adb36529063ae2a4fedcc2e8e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad/

Threat name:

Win32.Backdoor.Simda

Status:

Malicious

First seen:

2025-11-21 19:52:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rwejukxopcikcxxcb4qkdwhrvxwum33mdrk24vyskx74uyign6wq._file

Result

Malware family:

simda

Score:

10/10

Tags:

family:simda discovery persistence stealer trojan

Link:

https://tria.ge/reports/251123-l2s29aem71/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Simda family

simda

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/33029691-8005-4053-9829-7d09a3481f46

Unpacked files

SH256 hash:

8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad

MD5 hash:

82f9847adb36529063ae2a4fedcc2e8e

SHA1 hash:

2d88621b07d308e52fa79bac254131653ca3fc44

Link:

https://www.unpac.me/results/3645bd02-2421-4ad5-bb64-7529c47bd0e9/

SH256 hash:

594fe2ad56ca928bf87bff3888e521cfd21aa81412751e2607d49f4f0a9966e6

MD5 hash:

636b5a3cf9a79e6973a5966b3c0a2b7b

SHA1 hash:

b0a6170a2688554e9dfeed349fb85e9a1a89736d

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/3645bd02-2421-4ad5-bb64-7529c47bd0e9/

SH256 hash:

ba47b0c66b44875e0cba52cab76f3fe2c3e98cc70a635b328ccb3531eac315a7

MD5 hash:

a4d3bc2455031b80f35baf2076ca1379

SHA1 hash:

6269daea97fb43d8398c99193024dc5f0066207a

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/3645bd02-2421-4ad5-bb64-7529c47bd0e9/

SH256 hash:

e3fa2bf915789a2aa46a56188922f7c6e40c460b5f13366225e6103869c7bcff

MD5 hash:

e50057fdcabc7dea7d8670da2add7b0d

SHA1 hash:

55925abdbf3b90d7b538f796c2d009ccd9e60279

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/3645bd02-2421-4ad5-bb64-7529c47bd0e9/

Parent samples :

dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
03336e55e9bc4f0ae61098eeb358c36cf558683c457e7ccce374a61335df36d0
0954d357412d7bcccb3e28d9760e621a7c32a34626fa7fff0f4c101de53ddd05
0bdb5f7f03b6be6ad31a7397d265535ae95c85271d0345c6331e296ffaa09f17
14164234fdf8d6cf6d08ad2b1a5341fcabf6ecea1dc159f87af4fe164ef7c74a
19b249c8c048de11213666ae13cc1c62635dda37cf2a41b696dc0f946362cacf
217d3556de75c6ae83f565aad46e73a7ab892f1cbe3d2b55aa70d2112181e110
2c2e74c219be5698372888cca337abaed31d50b438596830d4c9043c04d6dea8
35972590b79eabb7394fa147b3dd64a8f3f7f0bddb82c527d87f345215c00e30
48f84d7d505f3a2ce61baa8e56dd0838d0b81a0103db009bfd5596fb3f62af4d
535b682938ea8f9ff66d4c75cf9dee36060ba4caf9713cadd4638e4adddbdde2
53c1854d8132616a67e0aceaa012cb8b760e6205d433f0e01aec35ef81cd505c
552b60239027f24fbfacaf9d7497a318f4ae89898c60338f68fcac18327cea88
59d16811cc0a1c0caf3a05f043818b61e3e99c6df7476e91f8bb8fa30e188043
61d8fb1f75b5f2a16cd31e459ca8d6a98fbdaaa73fa12598b359615adc938bf4
632a95a51b95ba00d06df6881c06a766e6e8496ed2fa070b810adc4b96012bb5
7264095b75d31b7ed0b80ecaa36f80ffcbdcedeac4d49c2a70ec684ee070140e
8032eeaa6fb612a56ab09e7469e264e4bb9186a0321e0b10cabec3aaa39a5a2f
8447097cbe5deca77a965ba8fdaa19270af3a686c4d8c64a6c4fb997a41fed12
88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
8e2a2dc3cfb53da2352439b230ccf315c257ceb99e7c1cc99b48e41f435d7f51
9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
a13b480f8be5a52bcb8a128e5da1b8738356c62830d1964423d77657ca1c9f55
a624205430cc2c2bfbac3f26744bc741dece39dc1b40f2f9c298b2355846300f
ab2530727d9438d1a32da7379b5795eb4053af832f5254e3d04a6d33c9b9ebd9
ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
b0057b6c3a1c0b6da1c11ca0e74af354c848c6ce1f4abacbc9b44c32174619b1
b35935b1f0fc9cc104bd32a4e8410a6fe04e1b5b4ca714c918df55353435ef1a
b9cc8a804c0cc89e9f31c66e943408c76d35363ed664c87fe828efd0909ab87b
be8d0ec74025f2a531c7cc903be20131e47e2b54da9a0ed2a48af66d4cd66a74
bf279efd14dd25bcd0b9292c677df631b7d9520029e15f2d2b8cba49177fc3ef
c28b49bb5673deb40c8225c66e84a88306f2fc7be4e207a7cb668522e659ad2e
e3a917b9425e70c7fbe5e9c94578708ba62979569c18698a178d78dbc5f65c0e
eecfd380869328417580435ad8ac5db3b35ddfe2b0818e8e152218800178b468

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40611/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample