MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 10

Intelligence 10 IOCs YARA 13 File information Comments

SHA256 hash:	ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
SHA3-384 hash:	66ecbc13c535bbe3fdd9b390929069bf169c64a3b79a46bc0a2ca955b4bdb94a0c5466728982f504cfe12648f63c0326
SHA1 hash:	295b0f4399761f0eb90e05bd1424c5f147cde1c8
MD5 hash:	fc06f32000c685b8ef10ab0ef47e2510
humanhash:	jersey-connecticut-victor-mike
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	230'400 bytes
First seen:	2025-11-23 09:28:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e4d8c3a1a334a5b30c07d0ae1540afcb (1 x Simda)
ssdeep	6144:U0CshD7CcAxBKfylXLeXGIpbmIIGSWcBGR/Dl:DLhPCdBaIXLYGimPGSfB4p
TLSH	T19D34122B07C12077D26E0D7694739E1491BF60027B72A77E47C2ABA734FB111EA39E52
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Simda

Link:

https://www.capesandbox.com/analysis/40743/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Searching for the anti-virus window

Moving of the original file

Query of malicious DNS domain

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint packed shiz

Link:

https://www.filescan.io/uploads/6922de407d011c9c3a488817/reports/626d703d-c68f-4517-ba11-3277f4ee95d7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904

Result

Gathering data

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/fc06f32000c685b8ef10ab0ef47e2510

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904/

Threat name:

Win32.Infostealer.Simda

Status:

Malicious

First seen:

2025-11-23 08:34:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vn5yjetluvmtqzifaghr72rfck3kz75gcic4q4orrrbmmyq4feca._file

Result

Malware family:

simda

Score:

10/10

Tags:

family:simda discovery persistence stealer trojan

Link:

https://tria.ge/reports/251123-l89zcaypfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Simda family

simda

Verdict:

Malicious

Tags:

Win.Trojan.Agent-316145

YARA:

n/a

Link:

https://app.threat.zone/submission/5dc678bb-9e6e-4d4b-846b-3b6ed45fee1d

Unpacked files

SH256 hash:

473dc2506e88b1d9089f679c6b9ad572da4bb7e76d0bf9174dbe21d92dd4bfb2

MD5 hash:

1e1a377e3c9dd2458782a410f270cafb

SHA1 hash:

7e3a665b66c69047f7628bbe15919190e1860b43

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/1f586535-d7d8-457f-a7a7-f11ba7c5003d/

SH256 hash:

e54ed3f707dc28ebf1b636edc59b70d5e6cc1d98bb6c86e948f938785fc26599

MD5 hash:

9d5e3486559584a8cdf69cade55b894e

SHA1 hash:

38bdbb74883792ec3a7d5434b0eaa75dc3fca223

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/1f586535-d7d8-457f-a7a7-f11ba7c5003d/

SH256 hash:

e3fa2bf915789a2aa46a56188922f7c6e40c460b5f13366225e6103869c7bcff

MD5 hash:

e50057fdcabc7dea7d8670da2add7b0d

SHA1 hash:

55925abdbf3b90d7b538f796c2d009ccd9e60279

Detections:

win_simda_auto

win_simda_g1

win_simda_g0

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/1f586535-d7d8-457f-a7a7-f11ba7c5003d/

Parent samples :

dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
03336e55e9bc4f0ae61098eeb358c36cf558683c457e7ccce374a61335df36d0
0954d357412d7bcccb3e28d9760e621a7c32a34626fa7fff0f4c101de53ddd05
0bdb5f7f03b6be6ad31a7397d265535ae95c85271d0345c6331e296ffaa09f17
14164234fdf8d6cf6d08ad2b1a5341fcabf6ecea1dc159f87af4fe164ef7c74a
19b249c8c048de11213666ae13cc1c62635dda37cf2a41b696dc0f946362cacf
217d3556de75c6ae83f565aad46e73a7ab892f1cbe3d2b55aa70d2112181e110
2c2e74c219be5698372888cca337abaed31d50b438596830d4c9043c04d6dea8
35972590b79eabb7394fa147b3dd64a8f3f7f0bddb82c527d87f345215c00e30
48f84d7d505f3a2ce61baa8e56dd0838d0b81a0103db009bfd5596fb3f62af4d
535b682938ea8f9ff66d4c75cf9dee36060ba4caf9713cadd4638e4adddbdde2
53c1854d8132616a67e0aceaa012cb8b760e6205d433f0e01aec35ef81cd505c
552b60239027f24fbfacaf9d7497a318f4ae89898c60338f68fcac18327cea88
59d16811cc0a1c0caf3a05f043818b61e3e99c6df7476e91f8bb8fa30e188043
61d8fb1f75b5f2a16cd31e459ca8d6a98fbdaaa73fa12598b359615adc938bf4
632a95a51b95ba00d06df6881c06a766e6e8496ed2fa070b810adc4b96012bb5
7264095b75d31b7ed0b80ecaa36f80ffcbdcedeac4d49c2a70ec684ee070140e
8032eeaa6fb612a56ab09e7469e264e4bb9186a0321e0b10cabec3aaa39a5a2f
8447097cbe5deca77a965ba8fdaa19270af3a686c4d8c64a6c4fb997a41fed12
88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
8e2a2dc3cfb53da2352439b230ccf315c257ceb99e7c1cc99b48e41f435d7f51
9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
a13b480f8be5a52bcb8a128e5da1b8738356c62830d1964423d77657ca1c9f55
a624205430cc2c2bfbac3f26744bc741dece39dc1b40f2f9c298b2355846300f
ab2530727d9438d1a32da7379b5795eb4053af832f5254e3d04a6d33c9b9ebd9
ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
b0057b6c3a1c0b6da1c11ca0e74af354c848c6ce1f4abacbc9b44c32174619b1
b35935b1f0fc9cc104bd32a4e8410a6fe04e1b5b4ca714c918df55353435ef1a
b9cc8a804c0cc89e9f31c66e943408c76d35363ed664c87fe828efd0909ab87b
be8d0ec74025f2a531c7cc903be20131e47e2b54da9a0ed2a48af66d4cd66a74
bf279efd14dd25bcd0b9292c677df631b7d9520029e15f2d2b8cba49177fc3ef
c28b49bb5673deb40c8225c66e84a88306f2fc7be4e207a7cb668522e659ad2e
e3a917b9425e70c7fbe5e9c94578708ba62979569c18698a178d78dbc5f65c0e
eecfd380869328417580435ad8ac5db3b35ddfe2b0818e8e152218800178b468

SH256 hash:

ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904

MD5 hash:

fc06f32000c685b8ef10ab0ef47e2510

SHA1 hash:

295b0f4399761f0eb90e05bd1424c5f147cde1c8

Link:

https://www.unpac.me/results/1f586535-d7d8-457f-a7a7-f11ba7c5003d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_FindWindowA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MALWARE_Win_Simda Create hunting rule
Author:	ditekShen
Description:	Detects Simda / Shifu infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Zeus_e51c60d7 Create hunting rule
Author:	Elastic Security
Description:	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.
Reference:	https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects

Rule name:	win_simda_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.simda.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40743/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample