MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b
SHA3-384 hash: c59a632ab03eb3548b158abb6e1ac046b11ec858417758e6fb1e166edabb79d5fcaf0c0768786891d27f2c807b42f0f0
SHA1 hash: 2b0a8ab2f9715ae26402fc1cbc2c251e47e4d644
MD5 hash: a5f4e1b9b2673b80d143f7e04b028fee
humanhash: johnny-sodium-white-bacon
File name:svchost.exe
Download: download sample
Signature Simda
Create hunting rule
File size:342'528 bytes
First seen:2025-11-23 09:53:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08be74ae800b79e75e5383d571792ca3 (1 x Simda)
ssdeep 6144:Tj+5bzMSFSWBdrZEZJLzlNxxEYXtAEfahwm363Xh2HE+HSeIQQ+Z:T9SFNSZkEfebu2HEASe
Threatray 67 similar samples on MalwareBazaar
TLSH T149748F22E0409576E1F9163055FE3A6A21BD6E7803D829D337946F9C2D742F2B2392DF
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe Simda upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 67c3d6b36234a869d6d7c7fdd34b77bd139b9a0fdd3d7f536423ae4e10c38bd9
File size (compressed) :134'144 bytes
File size (de-compressed) :342'528 bytes
Format:win32/pe
Packed file: 67c3d6b36234a869d6d7c7fdd34b77bd139b9a0fdd3d7f536423ae4e10c38bd9

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Simda
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41054/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Moving of the original file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm banker base64 explorer keylogger lolbin microsoft_visual_cc packed rundll32 shifu shiz
Link:
https://www.filescan.io/uploads/6922e5345d3feebe12d81701/reports/f4fb9d7d-db3b-4aa0-a743-c7f0de249af2/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-12T03:04:00Z UTC
Last seen:
2025-11-12T03:40:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b/results?tab=lookup
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819496
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found stalling execution ending in API Sleep call
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a5f4e1b9b2673b80d143f7e04b028fee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxddvdoy4zh4mdgnhdpr3w2zoskxvlpkcuklj2i4bxxd3tn55ffq._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b
Simda
b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
Simda
b94c8d4c01fde28d1e236ca094c13685dd11234df98414e10f9c700d6b4c37ec
Simda
c396ca00d0f924a4474f9c3f40b09a9d0048a171198b503694db5b0a8947176e
Simda
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0
Simda
error
Simda
f651879bbfa8ed9b6189c0264d24051bd7e194d6bed20feb2f8ec961beb9fd1e
Simda
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251123-msyf2szkbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
stealer simda Win.Trojan.Simda-10002732-0
YARA:
MALWARE_Win_Simda
Link:
https://app.threat.zone/submission/4760527a-ee50-49ae-b6d8-c6f6cc7d3387
Unpacked files
SH256 hash:
adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b
MD5 hash:
a5f4e1b9b2673b80d143f7e04b028fee
SHA1 hash:
2b0a8ab2f9715ae26402fc1cbc2c251e47e4d644
Detections:
Simda
Create hunting rule
Link:
https://www.unpac.me/results/c2a1f844-9588-43cb-8b73-dd776e65452d/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/adc63a8dd8e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MALWARE_Win_Simda
Create hunting rule
Author:ditekShen
Description:Detects Simda / Shifu infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Simda

Executable exe 67c3d6b36234a869d6d7c7fdd34b77bd139b9a0fdd3d7f536423ae4e10c38bd9

Simda

Executable exe adc63a8dd8e64fc60ccd38df1ddb5974957aadea1514b4e91c0dee3dcdbde94b

(this sample)

  
Dropped by
SHA256 67c3d6b36234a869d6d7c7fdd34b77bd139b9a0fdd3d7f536423ae4e10c38bd9
  
Dropped by
MD5 42680500b6a672f4f10fe26a60ca033e
Cape
Cape
https://www.capesandbox.com/analysis/41054/

Comments