MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 12

Intelligence 12 IOCs YARA 20 File information Comments

SHA256 hash:	9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
SHA3-384 hash:	0ae02e2672de23579373eceea026819d0755b0716ecdd67d258d5dc0e542723075b735909cc07e47cedfaf3c0a358613
SHA1 hash:	818ec5339e16ada568f82f62b328f1264c8b1386
MD5 hash:	8f6871462928f316bbb63be617f6ae0e
humanhash:	august-blue-ceiling-idaho
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	223'888 bytes
First seen:	2025-11-23 09:26:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5dbe4621616d081e3440b0469a9471ca (3 x Simda)
ssdeep	3072:fvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:31SyAJp6rjn1gOObn4b6h9h
TLSH	T17B24027A8633155AC8250DF948DFDA171DBC435E2F2822360D99CB5F2EF37431AB6622
TrID	56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4504/4/1) 3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 19:18:46 UTC

Tags:

auto-reg anti-evasion

Link:

https://app.any.run/tasks/ccc8bc8b-540e-42a5-be8b-905b0d43944f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40634/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Searching for the anti-virus window

Moving of the original file

Query of malicious DNS domain

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context crypt expired-cert fingerprint invalid-signature packed signed xpack

Link:

https://www.filescan.io/uploads/6922dc0f6c89728b9825eb6f/reports/1bd98ee8-61a8-4f5d-84f8-d502940b12b9/overview

Verdict:

Malicious

Labled as:

Packy.Generic

Link:

https://www.hybrid-analysis.com/sample/9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a

Result

Gathering data

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/8f6871462928f316bbb63be617f6ae0e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a/

Threat name:

Win32.Backdoor.Simda

Status:

Malicious

First seen:

2025-11-21 09:17:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 36 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=skarghi5k5jaqb2mnh5qt2rnb6iszggmtd25y7bogmo7dnbgha5a._file

Result

Malware family:

simda

Score:

10/10

Tags:

family:simda discovery persistence stealer trojan

Link:

https://tria.ge/reports/251123-l3vmgatlet/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Simda family

simda

Unpacked files

SH256 hash:

c82b89cee5ff7f244f5b437f2d98052c6ddd05bac07cfbbd7e385702fe644d8a

MD5 hash:

71f39fd3092e52e457bef627023218a7

SHA1 hash:

5d184464c40d7e02886807b8e45b8369552bacab

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/9e8548b7-2011-4377-a5ef-a3eadf56a43c/

SH256 hash:

1ac4ff291bb80be50e57a27b90fa7f838e07a6a70ad93d23a6c38d7d15025016

MD5 hash:

cef57dfcc1dda67288a1012a9dbc19b3

SHA1 hash:

1f4296369007b045b1f12f140c6edfdd7a460f4a

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/9e8548b7-2011-4377-a5ef-a3eadf56a43c/

SH256 hash:

e3fa2bf915789a2aa46a56188922f7c6e40c460b5f13366225e6103869c7bcff

MD5 hash:

e50057fdcabc7dea7d8670da2add7b0d

SHA1 hash:

55925abdbf3b90d7b538f796c2d009ccd9e60279

Detections:

win_simda_g1

win_simda_g0

win_simda_auto

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/9e8548b7-2011-4377-a5ef-a3eadf56a43c/

Parent samples :

dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
03336e55e9bc4f0ae61098eeb358c36cf558683c457e7ccce374a61335df36d0
0954d357412d7bcccb3e28d9760e621a7c32a34626fa7fff0f4c101de53ddd05
0bdb5f7f03b6be6ad31a7397d265535ae95c85271d0345c6331e296ffaa09f17
14164234fdf8d6cf6d08ad2b1a5341fcabf6ecea1dc159f87af4fe164ef7c74a
19b249c8c048de11213666ae13cc1c62635dda37cf2a41b696dc0f946362cacf
217d3556de75c6ae83f565aad46e73a7ab892f1cbe3d2b55aa70d2112181e110
2c2e74c219be5698372888cca337abaed31d50b438596830d4c9043c04d6dea8
35972590b79eabb7394fa147b3dd64a8f3f7f0bddb82c527d87f345215c00e30
48f84d7d505f3a2ce61baa8e56dd0838d0b81a0103db009bfd5596fb3f62af4d
535b682938ea8f9ff66d4c75cf9dee36060ba4caf9713cadd4638e4adddbdde2
53c1854d8132616a67e0aceaa012cb8b760e6205d433f0e01aec35ef81cd505c
552b60239027f24fbfacaf9d7497a318f4ae89898c60338f68fcac18327cea88
59d16811cc0a1c0caf3a05f043818b61e3e99c6df7476e91f8bb8fa30e188043
61d8fb1f75b5f2a16cd31e459ca8d6a98fbdaaa73fa12598b359615adc938bf4
632a95a51b95ba00d06df6881c06a766e6e8496ed2fa070b810adc4b96012bb5
7264095b75d31b7ed0b80ecaa36f80ffcbdcedeac4d49c2a70ec684ee070140e
8032eeaa6fb612a56ab09e7469e264e4bb9186a0321e0b10cabec3aaa39a5a2f
8447097cbe5deca77a965ba8fdaa19270af3a686c4d8c64a6c4fb997a41fed12
88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
8e2a2dc3cfb53da2352439b230ccf315c257ceb99e7c1cc99b48e41f435d7f51
9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
a13b480f8be5a52bcb8a128e5da1b8738356c62830d1964423d77657ca1c9f55
a624205430cc2c2bfbac3f26744bc741dece39dc1b40f2f9c298b2355846300f
ab2530727d9438d1a32da7379b5795eb4053af832f5254e3d04a6d33c9b9ebd9
ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
b0057b6c3a1c0b6da1c11ca0e74af354c848c6ce1f4abacbc9b44c32174619b1
b35935b1f0fc9cc104bd32a4e8410a6fe04e1b5b4ca714c918df55353435ef1a
b9cc8a804c0cc89e9f31c66e943408c76d35363ed664c87fe828efd0909ab87b
be8d0ec74025f2a531c7cc903be20131e47e2b54da9a0ed2a48af66d4cd66a74
bf279efd14dd25bcd0b9292c677df631b7d9520029e15f2d2b8cba49177fc3ef
c28b49bb5673deb40c8225c66e84a88306f2fc7be4e207a7cb668522e659ad2e
e3a917b9425e70c7fbe5e9c94578708ba62979569c18698a178d78dbc5f65c0e
eecfd380869328417580435ad8ac5db3b35ddfe2b0818e8e152218800178b468

SH256 hash:

9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a

MD5 hash:

8f6871462928f316bbb63be617f6ae0e

SHA1 hash:

818ec5339e16ada568f82f62b328f1264c8b1386

Link:

https://www.unpac.me/results/9e8548b7-2011-4377-a5ef-a3eadf56a43c/

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9281131d1d57/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_FindWindowA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MALWARE_Win_Simda Create hunting rule
Author:	ditekShen
Description:	Detects Simda / Shifu infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Zeus_e51c60d7 Create hunting rule
Author:	Elastic Security
Description:	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.
Reference:	https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects

Rule name:	win_simda_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.simda.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40634/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample