MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6
SHA3-384 hash: 7920fd811f6c767c7ab7fd4a1999e69d844d4a1568d294e7436402d46a9a1963dff8dc41ebfd1f4cc9a5b221d92ab7d3
SHA1 hash: c5d317da55e13abd95f1c9cf19093e04e5aaf6f5
MD5 hash: b5095926b1c05106e6bf5632d779cd65
humanhash: oven-lake-nuts-maryland
File name:svchost.exe
Download: download sample
Signature Simda
Create hunting rule
File size:161'280 bytes
First seen:2025-11-23 09:32:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cb59e9f2348b37e98c5e9c617c66b271 (9 x Simda)
ssdeep 3072:0eLIjyYsAq/C3RCzgJHvNA1PpYfFL6zU+BEfi:PLIjjqahUSPe1SZ+h
Threatray 5 similar samples on MalwareBazaar
TLSH T163F33926E04544B9E5E0127C65BD3B9240BF6D74972C2CE37391AAC91DF82E37A7831B
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Hexastrike
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40971/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Moving of the original file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm banker base64 explorer lolbin microsoft_visual_cc shifu shiz
Link:
https://www.filescan.io/uploads/6922e5e45d3feebe12d81772/reports/cfafbf79-6bb4-4149-81e4-27453d015995/overview
Verdict:
Malicious
Labled as:
Trojan.Pws.Online
Link:
https://www.hybrid-analysis.com/sample/f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b5095926b1c05106e6bf5632d779cd65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6/
Threat name:
Win32.Infostealer.OnlineGames
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 06:09:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 36 (86.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ge4f43xlz43bzhf3yrxdmdwh2vhpk5t6mkp67lh3x4yfkppytda._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
bed995ae2815c46e2a8f3ba5621678beb4e88abfbaff00eda3c994489fbe5ca1
Simda
error
Simda
f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6
Simda
f7aaeedc1ef66fd644cb3ee2898a3ca1d94337e7493370f473a1d7fd8dfa5601
Simda
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251123-mqlz8szjfk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6
MD5 hash:
b5095926b1c05106e6bf5632d779cd65
SHA1 hash:
c5d317da55e13abd95f1c9cf19093e04e5aaf6f5
Detections:
Simda
Create hunting rule
Link:
https://www.unpac.me/results/28a70460-0a8e-4998-afb2-ad78c4665162/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f189c2f3775e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f189c2f3775e79b0e4e5de2371b0763eaa77abb3f314ff7d67ddf982a9efc4c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40971/

Comments