{
	"id": "dde369c6-a61d-4854-9313-5c2c89ab7bc2",
	"created_at": "2026-04-06T00:13:52.606373Z",
	"updated_at": "2026-04-10T13:12:20.653671Z",
	"deleted_at": null,
	"sha1_hash": "4ca8239129e5d3fefae6bedba093442067a744e6",
	"title": "The DGA of Simda/Shiz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62348,
	"plain_text": "The DGA of Simda/Shiz\r\nArchived: 2026-04-05 17:30:13 UTC\r\nOnly when I had already finished the DGA of Simda/Shiz, I noticed that DGArchive and Abuse.ch analysed\r\nSimda’s DGA before me. All this entry contributes are two additional seeds.\r\nThe DGA\r\nThe DGA is pretty simple:\r\nlength = 7\r\ntld = \"com\"\r\nkey = \"1676d5775e05c50b46baa5579d4fc7\"\r\nbase = 0x45AE94B2\r\nconsonants = \"qwrtpsdfghjklzxcvbnmv\"\r\nvowels = \"eyuioa\"\r\nstep = 0\r\nfor m in key:\r\n step += ord(m)\r\nfor nr in range(1000):\r\n domain = \"\"\r\n base += step\r\n for i in range(length):\r\n index = int(base/(3+2*i))\r\n if i % 2 == 0:\r\n char = consonants[index % 20]\r\n else:\r\n char = vowels[index % 6]\r\n domain += char\r\n domain += \".\" + tld\r\n print(domain)\r\nThe length, top level domain, and the key vary from sample to sample. For the domain generation, only the sum of\r\nthe key’s character matter, the key itself is irrelevant.\r\nThe Seeds\r\nI found five different sets of seeds + one on virustracker:\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 1 of 6\n\nset base\r\ndomain\r\nlength\r\ntld key\r\nkey\r\nsum\r\nfirst 10 domains\r\n1 45AE94B2 7 com 1676d5775e05c50b46baa5579d4fc7 2052\r\ngatyfus.com,\r\nlyvyxor.com,\r\nvojyqem.com,\r\nqetyfuv.com,\r\npuvyxil.com,\r\ngahyqah.com,\r\nlyryfyd.com,\r\nvocyzit.com,\r\nqegyqaq.com,\r\npurydyv.com\r\n2 45AE94B2 5 eu 1670cf21500911e1758e2b0dd5b4 1824\r\nlykef.eu,\r\nqekol.eu,\r\ngalin.eu,\r\nvolup.eu,\r\npuzej.eu,\r\nlyxav.eu,\r\nqexor.eu,\r\ngacuf.eu,\r\nvocyz.eu,\r\npuvem.eu\r\n3 45AE94B2 7 info 167cd47c0a09c9036d6097b754ab2e73 2146\r\nqebevil.info,\r\ncitokec.info,\r\njejudin.info,\r\ndivywew.info,\r\nwetavop.info,\r\nvojokyf.info,\r\nlyvudoj.info,\r\nfotyryz.info,\r\nryhabov.info,\r\nnovolym.info\r\n4 45AE94B2 7 info ? 2038 puwedyp.info,\r\ntulokuq.info,\r\nrypubuv.info,\r\nrycyril.info,\r\nwedafog.info,\r\nqebolap.info,\r\nqeguneq.info,\r\nmamytec.info,\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 2 of 6\n\nset base\r\ndomain\r\nlength\r\ntld key\r\nkey\r\nsum\r\nfirst 10 domains\r\nnajagyk.info,\r\nnoroxuf.info\r\n5 45AE94B2 11 eu 1670cf215403c56d8859a0636ffc74 1952\r\ncihunemyror.eu,\r\ndigivehusyd.eu,\r\nvofozymufok.eu,\r\nfodakyhijyv.eu,\r\nnopegymozow.eu,\r\ngatedyhavyd.eu,\r\nmarytymenok.eu,\r\njewuqyjywyv.eu,\r\nqeqinuqypoq.eu,\r\nkemocujufys.eu\r\n5 45AE94B2 11 eu 1670cf215403c56d8859a0636ffc74 1952\r\ncihunemyror.eu,\r\ndigivehusyd.eu,\r\nvofozymufok.eu,\r\nfodakyhijyv.eu,\r\nnopegymozow.eu,\r\ngatedyhavyd.eu,\r\nmarytymenok.eu,\r\njewuqyjywyv.eu,\r\nqeqinuqypoq.eu,\r\nkemocujufys.eu\r\n6 45AE94B2 7 info ? 2182\r\nlyromex.info,\r\nmaxenem.info,\r\ndosuves.info,\r\nxubaxej.info,\r\nwehyzav.info,\r\ngaqokaw.info,\r\nvilehaf.info,\r\ntupigal.info,\r\njevadan.info,\r\nnofupat.info\r\nI have not had access to a sample for the fourth and sixth seed, but found the key sum to be 2038 by brute forcing.\r\nHere is a Python script of the DGA that contains these five seeds.\r\nSamples on Malwr.com\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 3 of 6\n\nThe following table lists samples from malwr.com that use the DGA of Simda/Shiz:\r\nmd5\r\nanalysis\r\ndate\r\nset Kaspersky Microsoft Symantec\r\n9c5e9e1a049ec198abf461f92758d8b5\r\n14 May.\r\n2013\r\n1 Shiz.raj Injector.gen!BQ (c)\r\necbdcf103052f1537798e5b27e1f2538\r\n26 Aug.\r\n2013\r\n3 Shiz.afai Simda.gen!B WS.Reputation.1\r\nd0acd37e9075990d0f1289db350c258d\r\n08 Nov.\r\n2013\r\n1 (c) Simda.AF Shiz!gen\r\nc4d1a029de33208a56eba8f5fe8b6eb2\r\n03 Feb.\r\n2014\r\n5 (g) (c) (c)\r\n1fde0e0a2b16fcb4c483ec7ed8531756\r\n19 Mar.\r\n2014\r\n5 (g) Injector.TH Shiz!gen\r\n1fde0e0a2b16fcb4c483ec7ed8531756\r\n19 Mar.\r\n2014R\r\n5 (g) Injector.TH Shiz!gen\r\nfdcab35a4d38deb9d41a3c1f12075d22\r\n23 Mar.\r\n2014\r\n5 Shiz.aklr Injector.TH (c)\r\n7070ac6706e345e75103054a4f30ff4d\r\n26 Mar.\r\n2014\r\n5 ? ? ?\r\n71ca5168b13f6657f79c9d43ed448372\r\n30 Mar.\r\n2014\r\n3 (g) Simda.gen!F\r\n0972ebba0a8f21f930c7e2f27be96646\r\n29 May.\r\n2014\r\n1 (g) Simda.D WS.Reputation.1\r\n39f2998a165cb2f5986bf288e7153490\r\n30 May.\r\n2014\r\n1 Shiz.tiq Simda WS.Reputation.1\r\n03b7288ba9876ad4e80074ab95cb889f\r\n22 Jun.\r\n2014\r\n5 (g) Simda Shiz!gen2\r\n301eb56db2e5e601453da34698f9db1b\r\n25 Jun.\r\n2014\r\n5 (g) Simda WS.Reputation.1\r\n0537c9f2dc45b10be4c276600f7af035\r\n26 Jun.\r\n2014\r\n1 Shiz.raj Simda.G Malcol\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 4 of 6\n\nmd5\r\nanalysis\r\ndate\r\nset Kaspersky Microsoft Symantec\r\n02f6cb7a90169b8569133a75a74e9ba0\r\n27 Jun.\r\n2014\r\n5 (g) (c) (g)\r\n10708d7d77ab864f1d38fe1b6161422d\r\n29 Jun.\r\n2014\r\n5 (g) Simda (g).2\r\n11b54c5d8531c0705d30a87f2b42a20f\r\n29 Jun.\r\n2014\r\n4 Shiz.cxgu Simda WS.Reputation.1\r\n12a92f800239af5e715842d6fcf7c82c\r\n30 Jun.\r\n2014\r\n5 (g) Obfuscator.WY (g).2\r\n14ce26edf8ccf4b5dc6e8170ecc04a82\r\n01 Jul.\r\n2014\r\n5 (g) Simda.AA (c)\r\n174b8b6048cc18e069a633786ead5cc3\r\n01 Jul.\r\n2014\r\n5 (g) Simda FakeAV\r\n196e7f6c572a2ea7afcc322530f8f970\r\n01 Jul.\r\n2014\r\n3 (g) Simda.gen!F WS.Reputation.1\r\n25c9bb91088b6062ac5ce8d214cd93a5\r\n03 Jul.\r\n2014\r\n5 (g) Obfuscator.ZV Shiz!gen2\r\n34920722bdfe2ce5cff7e2f692939666\r\n05 Jul.\r\n2014\r\n1 Shiz.raj Simda WS.Reputation.1\r\n564dff857b3c0c3ef304df86d69dbe4d\r\n13 Jul.\r\n2014\r\n5 (g) Simda.X (g)\r\n575401b07ccec2f84ff6e46d26a84dc5\r\n14 Jul.\r\n2014\r\n5 (g) (c) (c)\r\n7b9d6e2d8a0a0b20d493ea2f37de260d\r\n18 Jul.\r\n2014\r\n1 (g) Simda.P Shiz!gen\r\n7974fb86000385219d4b9cd63bcb0d2f\r\n20 Jul.\r\n2014\r\n5 (g) Obfuscator.ZV Shiz!gen2\r\n7df9185319e4877fc0322bdf56af89bc\r\n20 Jul.\r\n2014\r\n5 ? Simda Shiz!gen2\r\n809652095b88a2fa0ea4dd89760599c1\r\n21 Jul.\r\n2014\r\n2 (g) Simda.AF Shiz!gen\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 5 of 6\n\nmd5\r\nanalysis\r\ndate\r\nset Kaspersky Microsoft Symantec\r\n83f2ad344ca7225cb675c03d0c66a0b6\r\n21 Jul.\r\n2014\r\n5 (g) Simda WS.Reputation.1\r\n8b7000002d47146d7d7e7ba2c5b3d120\r\n22 Jul.\r\n2014\r\n5 (g) Simda Shiz\r\n9977d2b1b279112cc1024858802b3ab8\r\n23 Jul.\r\n2014\r\n5 (g) Simda.U (g)\r\nad71cd5a05db9473c5580eb070963bf9\r\n02 Mar.\r\n2015\r\n1 (g) Simda.AF Shiz!gen\r\n(g): generic, ?: not scanned, (c): clean\r\nSource: https://bin.re/blog/the-dga-of-simda-shiz/\r\nhttps://bin.re/blog/the-dga-of-simda-shiz/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bin.re/blog/the-dga-of-simda-shiz/"
	],
	"report_names": [
		"the-dga-of-simda-shiz"
	],
	"threat_actors": [],
	"ts_created_at": 1775434432,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ca8239129e5d3fefae6bedba093442067a744e6.pdf",
		"text": "https://archive.orkl.eu/4ca8239129e5d3fefae6bedba093442067a744e6.txt",
		"img": "https://archive.orkl.eu/4ca8239129e5d3fefae6bedba093442067a744e6.jpg"
	}
}