MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
SHA3-384 hash:	c56b12f380d996535729638db4222d272040d1fcbca4a96e6db40f92b23ea399977424a47d62a02f99ec9541bfb4e1ed
SHA1 hash:	1e2200149da347977dca32cbfa68d0fd7fe4769d
MD5 hash:	cd3dccb2603b74f10205a2ef2087b540
humanhash:	illinois-wyoming-kilo-leopard
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	430'080 bytes
First seen:	2025-11-23 09:27:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25724a12bec6f765c371201f99ac92be (12 x Simda)
ssdeep	6144:BEXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5Em:SAylvv5YRwh9HYd61xhm
TLSH	T1819412C7B18928D5C440063349FAA7815A2DFD551B1BC8FBEF88412DAFAC981BE3531E
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Suspicious activity

Analysis date:

2025-11-23 18:02:43 UTC

Tags:

anti-evasion

Link:

https://app.any.run/tasks/b6eacbe8-9f22-4247-9553-3af06f7b2ba9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40692/

Detection(s):

Win.Trojan.Shiz-1268

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Moving of the original file

Enabling autorun

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context packed

Link:

https://www.filescan.io/uploads/6922dd1beecb08e4aa45a301/reports/70a1a970-668a-4bc4-951c-9a3a50676746/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/cd3dccb2603b74f10205a2ef2087b540

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa/

Threat name:

Win32.Infostealer.Simda

Status:

Malicious

First seen:

2025-11-23 08:51:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uaicjervcsn54xnvmdh6c2tdkw5yd3wnu5ojyd3ud4qdlbyrnl5a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/251123-l6eqesen7x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Verdict:

Malicious

Tags:

Win.Trojan.Shiz-1268

YARA:

n/a

Link:

https://app.threat.zone/submission/564278ee-8c26-4904-814c-d5b227a58668

Unpacked files

SH256 hash:

a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa

MD5 hash:

cd3dccb2603b74f10205a2ef2087b540

SHA1 hash:

1e2200149da347977dca32cbfa68d0fd7fe4769d

Link:

https://www.unpac.me/results/d69c8180-fcce-416d-b1f2-271886ed2057/

SH256 hash:

4b1b6dce7e10f33f7556e980d5c4617e38d4bb0d6fb9ad446c1efd7981e23f82

MD5 hash:

0ebb7241e733cecacf168f3b8d561689

SHA1 hash:

5aedadf8ee7d2bda26aeb14bed10a3d44abeae62

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/d69c8180-fcce-416d-b1f2-271886ed2057/

SH256 hash:

5d4d7bb2189c51c679cb2d630eb86b6a9325d30f4a16187ecad4cc63b3686328

MD5 hash:

c8e97692386ae0104e9dbc8e63ee159b

SHA1 hash:

1c926a52144a283bf41596a4eb11538a3744b9cd

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/d69c8180-fcce-416d-b1f2-271886ed2057/

Parent samples :

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

fd067a038e503edb4700803f6c3a7309e3b46ca865dc734bad879e4a2a8112c1

MD5 hash:

8c19822fbdc4348ec5f5ee80abd0fe77

SHA1 hash:

28d19264b0abca1123673ac473bba57fb933da47

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/d69c8180-fcce-416d-b1f2-271886ed2057/

Parent samples :

1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	MALWARE_Win_Simda Create hunting rule
Author:	ditekShen
Description:	Detects Simda / Shifu infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_Zeus_e51c60d7 Create hunting rule
Author:	Elastic Security
Description:	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.
Reference:	https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40692/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample