MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
SHA3-384 hash: 30aee00e36485ee3ea7461460fd792cc0f0b66bd9f3783f9db5cc919271b840a22fbf446c6cb3388afd38b14dfcebf34
SHA1 hash: d1e2a3d05db0a66f6e0b1e5801a71a821fe29208
MD5 hash: e53683b680819895399d75f7bef305e3
humanhash: steak-seventeen-mike-cardinal
File name:svchost.exe
Download: download sample
Signature Simda
Create hunting rule
File size:331'776 bytes
First seen:2025-11-23 09:29:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a29736d96c1bb5330d99576cd94e80e8 (8 x Simda)
ssdeep 6144:qExz45HS77yQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:oHS7XDq+pcYWWqtfxvSQj2f
Threatray 48 similar samples on MalwareBazaar
TLSH T1A0647D61A040817BF3F8163425FA7B6F25BE6A6403DA19DB27A46ECC29741E2713D1CF
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Hexastrike
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
Simda
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40790/
Detection(s):
Win.Trojan.Simda-10002732-0
Create hunting rule

Win.Malware.Razy-10013686-0
Create hunting rule

Win.Malware.Fragtor-10015653-0
Create hunting rule

Win.Malware.Razy-10017207-0
Create hunting rule

Win.Trojan.Shiz-10036056-0
Create hunting rule

Win.Trojan.Shiz-10036062-0
Create hunting rule

Win.Trojan.Generic-6323528-0
Create hunting rule

Win.Trojan.Banker-13589
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Moving of the original file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm banker base64 explorer keylogger lolbin microsoft_visual_cc packed rundll32 shifu shiz
Link:
https://www.filescan.io/uploads/6922df2e6c89728b9825ec3f/reports/5ffc7bc4-ff4d-44dc-bdae-b94f873535f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/e53683b680819895399d75f7bef305e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214/
Threat name:
Win32.Backdoor.Simda
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 06:35:46 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
31 of 36 (86.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdibgvug254na24pda6jo4klvzbjuuy3ujjt7vcj56vm4blrqika._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
0ab14e5e55d5cbc5d885e5454807bca2cec4e9a912deee7fdcea8f8005f74cf1
Simda
5697e0d0be6f06549e07b9fdcfd79ba7b24bb8473f5410b3e5f894886238f6e8
Simda
5d82a59f375675deb147be2c550e8088e5d832162bd4c8fbabb66afd9068c661
Simda
b19a22e002033220539de5970500c87800b4b64c7bbc583249862cffd27d4a5c
Simda
b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
Simda
c396ca00d0f924a4474f9c3f40b09a9d0048a171198b503694db5b0a8947176e
Simda
c57280002b5de677646d0b0aca6810ef7d29264c3375c6242497044de33b7aca
Simda
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0
Simda
dcf64e228ed56dca42675bcab1488f7f10418c612d7425876639e5827b68497b
Simda
error
Simda
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251123-mbhn9sep8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
stealer simda Win.Trojan.Simda-10002732-0
YARA:
MALWARE_Win_Simda
Link:
https://app.threat.zone/submission/5d86bc30-78f0-46ef-bf9f-0fb575a9fde0
Unpacked files
SH256 hash:
b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214
MD5 hash:
e53683b680819895399d75f7bef305e3
SHA1 hash:
d1e2a3d05db0a66f6e0b1e5801a71a821fe29208
Detections:
Simda
Create hunting rule
Link:
https://www.unpac.me/results/fa3e785c-ed7c-4e23-94d5-98f892a25c20/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8d0135686d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8d0135686d778d06b8f183c97714bae429a531ba2533fd449efaace05718214

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MALWARE_Win_Simda
Create hunting rule
Author:ditekShen
Description:Detects Simda / Shifu infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40790/

Comments