MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
SHA3-384 hash:	fe01c5be6c0c84fca280d6b2811e87350809d160a52e91ae6b25ddf81941194a5bddb4711c0d78deda3631cd05b3c45f
SHA1 hash:	554d8bdca78f386b2f664a618e6c30c0f1b8d8ab
MD5 hash:	c108789031440cebeeceeef5dfad6e11
humanhash:	three-ten-shade-arizona
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	240'640 bytes
First seen:	2025-11-23 09:27:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25724a12bec6f765c371201f99ac92be (12 x Simda)
ssdeep	6144:aEXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5Em:/Aylvv5YRwh9HYd61xhm
TLSH	T1C43412C7B18928D5C440067349FAA7815A2DFD551B1BC8FBEF88412DAFAC981BE3531E
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Suspicious activity

Analysis date:

2025-11-23 10:12:19 UTC

Tags:

anti-evasion

Link:

https://app.any.run/tasks/1f77b333-aa70-461e-b582-1da320d62a88

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40703/

Detection(s):

Win.Trojan.Shiz-1268

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922de02b6ee81118d2ca14d

Tags:

emotet simda

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Moving of the original file

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context packed

Link:

https://www.filescan.io/uploads/6922dd565d3feebe12d81398/reports/b17fc682-1dfb-4562-8e37-1d7695c84c5d/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/c108789031440cebeeceeef5dfad6e11

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393/

Verdict:

Malicious

Threat:

Trojan-Dropper.Win32.Dorifel

Link:

https://tip.neiki.dev/file/a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393

Threat name:

Win32.Infostealer.Simda

Status:

Malicious

First seen:

2025-11-23 07:41:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uipllwt3ww4hvrkulkw3ywu5y5rkz5wdxuvrhorafz4bgqp4iojq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/251123-l6zetstmcs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Verdict:

Malicious

Tags:

Win.Trojan.Shiz-1268

YARA:

n/a

Link:

https://app.threat.zone/submission/b1af2343-7070-4d25-b9ed-b9c3be9a02ed

Unpacked files

SH256 hash:

5c2353c02288289695e89a2b4f891020d284a2cdcb671370b31e637255fd7317

MD5 hash:

5e0f0eb52a7490a13f74f69c0bdffbd2

SHA1 hash:

cc36483037c8e15084b237b56eecff45c7f4f45b

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/12924178-cac6-4d9a-8c36-fbc39e6f16ab/

SH256 hash:

5d4d7bb2189c51c679cb2d630eb86b6a9325d30f4a16187ecad4cc63b3686328

MD5 hash:

c8e97692386ae0104e9dbc8e63ee159b

SHA1 hash:

1c926a52144a283bf41596a4eb11538a3744b9cd

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/12924178-cac6-4d9a-8c36-fbc39e6f16ab/

Parent samples :

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

fd067a038e503edb4700803f6c3a7309e3b46ca865dc734bad879e4a2a8112c1

MD5 hash:

8c19822fbdc4348ec5f5ee80abd0fe77

SHA1 hash:

28d19264b0abca1123673ac473bba57fb933da47

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/12924178-cac6-4d9a-8c36-fbc39e6f16ab/

Parent samples :

1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393

MD5 hash:

c108789031440cebeeceeef5dfad6e11

SHA1 hash:

554d8bdca78f386b2f664a618e6c30c0f1b8d8ab

Link:

https://www.unpac.me/results/12924178-cac6-4d9a-8c36-fbc39e6f16ab/

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a21eb5da7bb5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40703/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample