MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
SHA3-384 hash:	488daba4c09cdc00d48b28d33cc158b1d64519ef27ef11ae88b85f06f968c16280a476826bf7130924d4e516a14284f5
SHA1 hash:	ac4f86cc54526b71b0115c0801280cbd1ab39096
MD5 hash:	e7099ac5fecf1dffab49fc01931889f3
humanhash:	butter-juliet-low-mirror
File name:	svchost.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	249'856 bytes
First seen:	2024-09-03 02:13:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25724a12bec6f765c371201f99ac92be (12 x Simda)
ssdeep	6144:2EXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:LAylvv5YRwh9HYd61xhmX
Threatray	2 similar samples on MalwareBazaar
TLSH	T1CD3412C7A1482CE1C4400A3389FEE7415E3DF9492F5AD4FBDB984119AFA8A917F3521E
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	0000000000000102 (12 x Simda)
Reporter	adm1n_usa32
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

384

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

unrepellent.exe

Verdict:

Malicious activity

Analysis date:

2024-09-03 02:13:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/20cffe85-5c12-4d84-b7d6-a939deae43f8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Shiz-1268

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d670ed8e12b8124ac9095f

Tags:

Encryption Generic Infostealer Network Stealth Trojan Atraps

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP POST request

Sending an HTTP GET request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Moving of the original file

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

89%

Tags:

overlay

Link:

https://www.filescan.io/uploads/66d670ea727c915a27f50f10/reports/7de6970c-5fa3-4d3b-8b02-983c0180d9e7/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f607a3d1-761d-4776-bab5-7597cae3391e

Result

Threat name:

Simda Stealer

Detection:

malicious

Classification:

bank.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1503180

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Contains VNC / remote desktop functionality (version string found)

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Found evasive API chain (may stop execution after checking volume information)

Found evasive API chain checking for user administrative privileges

Found malware configuration

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Moves itself to temp directory

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Yara detected Simda Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb/

Threat name:

Win32.Infostealer.Simda

Status:

Malicious

First seen:

2024-09-03 02:14:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 38 (86.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cabkwnwdg2i7mqhauur3gfig5kz6b6rfvhpngvv6u2dvohseuw5q._file

Verdict:

malicious

Simda

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/240903-cnzs7swaph/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon for persistence

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cfe179fa-e5f4-47c1-bb60-89b0a8fa2141

Unpacked files

SH256 hash:

fd067a038e503edb4700803f6c3a7309e3b46ca865dc734bad879e4a2a8112c1

MD5 hash:

8c19822fbdc4348ec5f5ee80abd0fe77

SHA1 hash:

28d19264b0abca1123673ac473bba57fb933da47

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/b5beeed4-c45e-4305-8de5-53d54fa909d5/

Parent samples :

1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

5d4d7bb2189c51c679cb2d630eb86b6a9325d30f4a16187ecad4cc63b3686328

MD5 hash:

c8e97692386ae0104e9dbc8e63ee159b

SHA1 hash:

1c926a52144a283bf41596a4eb11538a3744b9cd

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/b5beeed4-c45e-4305-8de5-53d54fa909d5/

Parent samples :

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

1afa76d8a3f646b731df0f878c7c4d70745f18b7d1db9c1b185708775ac97258

MD5 hash:

6e7af3fe69554d446570eee0ce458cc0

SHA1 hash:

67d55f88aecbd643be1ae5638437d4bd550f0d63

Detections:

Simda

MALWARE_Win_Simda

Link:

https://www.unpac.me/results/b5beeed4-c45e-4305-8de5-53d54fa909d5/

SH256 hash:

1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb

MD5 hash:

e7099ac5fecf1dffab49fc01931889f3

SHA1 hash:

ac4f86cc54526b71b0115c0801280cbd1ab39096

Link:

https://www.unpac.me/results/b5beeed4-c45e-4305-8de5-53d54fa909d5/

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1002ab36c336/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::IsValidAcl
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::CreateFiber kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA ole32.dll::CreateFileMoniker kernel32.dll::ReplaceFileA kernel32.dll::GetFileAttributesW kernel32.dll::GetTempFileNameW kernel32.dll::GetTempPathA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyW advapi32.dll::RegRestoreKeyA
WIN_USER_API	Performs GUI Actions	user32.dll::CreateMenu

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample