MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 18

Intelligence 18 IOCs YARA 30 File information Comments

SHA256 hash:	06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1
SHA3-384 hash:	8128a6d1164dfea2ca833e31a5d04caa434910dd0cf8027bb6807f39ceee7d7330f9e90208d0a6a71cd2f48d58212c95
SHA1 hash:	ae0ba09a0d96f4630b5b2dd8e5f95f41fb816010
MD5 hash:	5a05543d03fef6b3db3438140de50d3e
humanhash:	blossom-three-undress-alabama
File name:	dropflower.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	827'904 bytes
First seen:	2025-05-08 06:52:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	77eb68348ee30e01ec09fce3582c5f76 (19 x Simda, 2 x njrat, 2 x LummaStealer)
ssdeep	12288:dsjCF2QZiOU+4zX7wM45QygROD22O3ZGdZD7AyyymGOldVKj:dOC39Uv7V4WnROD22cqD7Y9rVKj
Threatray	38 similar samples on MalwareBazaar
TLSH	T1C705CF06FBE240B4E86A053A54EAB37B4639BD124B20CDC79780F78CAC77BD16935716
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10522/11/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	0000000000000104 (16 x Simda)
Reporter	adm1n_usa32
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

391

Origin country :

Vendor Threat Intelligence

Malware family:

simda

ID:

File name:

dropflower.exe

Verdict:

Malicious activity

Analysis date:

2025-05-08 06:51:04 UTC

Tags:

simda stealer

Link:

https://app.any.run/tasks/85b68546-9da2-4a86-8230-ea848522dda6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681c553591991ead82b615e0

Tags:

neshta emotet njrat shiz

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Moving of the original file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context cmd config-extracted fingerprint keylogger lolbin lolbin lummastealer neshta netsh njrat njrat overlay overlay packed packed packer_detected phishing rat

Link:

https://www.filescan.io/uploads/681c54d8d95f3e34e963c83b/reports/d5e6e7fb-67bb-4eb5-9738-ee224f2c64f0/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1

Malware family:

Simda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b1733ec-153a-4b07-bb5c-68af65633671

Result

Threat name:

LummaC, Neshta, Njrat, Simda Stealer

Detection:

malicious

Classification:

spre.bank.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1684066

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Contains functionality to log keystrokes (.Net Source)

Contains VNC / remote desktop functionality (version string found)

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after checking volume information)

Found evasive API chain checking for user administrative privileges

Found malware configuration

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

LummaC encrypted strings found

Malicious sample detected (through community Yara rule)

Monitors registry run keys for changes

Moves itself to temp directory

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected Neshta

Yara detected Njrat

Yara detected Simda Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-05-05 18:34:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a32cpgaesnojc3xlewm43ltp5k4nlbkrz7w2dxerfwncxh43vgqq._file

Verdict:

malicious

Label(s):

simda

Result

Malware family:

njrat

Score:

10/10

Tags:

family:lumma family:neshta family:njrat discovery persistence spyware stealer

Link:

https://tria.ge/reports/250508-hm6s1syyby/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Detect Neshta payload

Modifies WinLogon for persistence

Neshta

Neshta family

Malware Config

C2 Extraction:

https://caffegclasiqwp.shop/api
https://stamppreewntnq.shop/api
https://stagedchheiqwo.shop/api
https://millyscroqwp.shop/api
https://evoliutwoqm.shop/api
https://condedqpwqm.shop/api
https://traineiwnqo.shop/api
https://locatedblsoqp.shop/api
https://deteriotraiwo.shop/api

Verdict:

Malicious

Tags:

rat njrat trojan neshta Win.Virus.Neshta-7101689-0

YARA:

malware_Njrat_strings Windows_Trojan_Njrat_30f3c220 MAL_Njrat MALWARE_Win_NjRAT JPCERTCC_Njrat Windows_Virus_Neshta_2a5a14c8 MAL_Neshta_Generic MALWARE_Win_Neshta

Link:

https://app.threat.zone/submission/d782aff1-e911-4342-bafd-f33918a555fb

Unpacked files

SH256 hash:

06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1

MD5 hash:

5a05543d03fef6b3db3438140de50d3e

SHA1 hash:

ae0ba09a0d96f4630b5b2dd8e5f95f41fb816010

Detections:

win_njrat_g1

win_njrat_w1

win_lumma_auto

LummaStealer

Neshta

NjRat

Link:

https://www.unpac.me/results/b441fd7b-ab09-481d-bcdc-3ff3415cb2bb/

SH256 hash:

5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1

MD5 hash:

4d08b3bd3f85cd71c54d69cefed0bed6

SHA1 hash:

a93dc58b7c40a3b2701f91d5daff7146277fc894

Detections:

win_njrat_g1

win_njrat_w1

NjRat

CN_disclosed_20180208_c

Njrat

win_njrat_bytecodes_oct_2023

win_njrat_strings_oct_2023

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/b441fd7b-ab09-481d-bcdc-3ff3415cb2bb/

Parent samples :

06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1
5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1
0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c
0ff2942601a42220b5dc6efd49f1cb98f51fd5028e73574eb76ceba501092536
525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

SH256 hash:

9daad3f4a69071eadb870968850eead3375230cf276e31f622dc0a77f8e5db60

MD5 hash:

5adf1914a7b8029a25e039567deabee9

SHA1 hash:

f4ff128d31e517bd6e8adf3d506c74692a79f3a1

Detections:

win_lumma_auto

LummaStealer

Link:

https://www.unpac.me/results/b441fd7b-ab09-481d-bcdc-3ff3415cb2bb/

SH256 hash:

efd37341f950bde39339a608c204b078cad2dd0aa8ab51adb6838c045134b8bd

MD5 hash:

d2cd5e43cc6301495ad55a4aba00fda8

SHA1 hash:

d9e151d0176fa183b09bd89f6c77602c25e366bd

Detections:

win_neshta_auto

win_neshta_g0

MAL_Malware_Imphash_Mar23_1

MAL_Neshta_Generic

win_neshta_1

MALWARE_Win_Neshta

Link:

https://www.unpac.me/results/b441fd7b-ab09-481d-bcdc-3ff3415cb2bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_Enable_OfficeMacro Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	MALWARE_Win_Simda Create hunting rule
Author:	ditekShen
Description:	Detects Simda / Shifu infostealer

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	neshta_v1 Create hunting rule
Author:	RandomMalware

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Trojan_Lumma_4ad749b0 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Virus_Neshta_2a5a14c8 Create hunting rule
Author:	Elastic Security

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	kernel32.dll::CreateFiber kernel32.dll::LoadLibraryA kernel32.dll::GetVolumeInformationW kernel32.dll::GetVolumeInformationA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileA kernel32.dll::GetSystemDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExA advapi32.dll::RegOpenKeyW advapi32.dll::RegOpenKeyExW
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample