MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
SHA3-384 hash: d9993785a72dc8336a6b03648037b1969a27c965e17db7034401d524c043b747a8d141c0f7222a24e800d28ce88f811a
SHA1 hash: be7f60898bf6e108aadc370b7ba9c3135bbfb4ee
MD5 hash: 475feaf47584ea0673437174181f5019
humanhash: blue-sad-spaghetti-neptune
File name:Bonelessness.exe
Download: download sample
Signature Simda
Create hunting rule
File size:213'504 bytes
First seen:2024-08-23 16:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91c8557273d46cefa6ad80b57deb236d (1 x Simda)
ssdeep 6144:KJRDxRqdSqQts6iRZsTZuDbhivDVDN8zqF3:KcjQKUZigDVJ5
TLSH T1202412B375D6A8EFFA560E7A95BEAD0868FC1CC14B6B45752D003936BCB3402F416C92
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon d6e259945a9a25ed (1 x Simda)
Reporter adm1n_usa32
Tags:exe Shiz Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
shiz
Create hunting rule
ID:
1
File name:
Bonelessness.exe
Verdict:
Malicious activity
Analysis date:
2024-08-23 16:44:22 UTC
Tags:
shiz sinkhole
Link:
https://app.any.run/tasks/6704ee3a-b139-4a61-9e9b-c139c8a50622

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Shiz-2731
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c8bccbe7ff3f5a063bcfda
Tags:
Generic Infostealer Network Stealth Trojan Shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Connection attempt to an infection source
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Searching for the anti-virus window
Moving of the original file
Query of malicious DNS domain
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto lolbin packed shell32
Link:
https://www.filescan.io/uploads/66c8bccccf0999714ca51502/reports/c110d08a-c408-41ef-839e-c34eb548db7c/overview
Verdict:
Malicious
Labled as:
Backdoor.Shiz
Link:
https://www.hybrid-analysis.com/sample/55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02f8991f-cc71-4762-881b-ec90a6feea8f
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498165
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to resolve many domain names, but no domain seems valid
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498165 Sample: Bonelessness.exe Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 49 www.sedoparking.com 2->49 51 vowyzuf.com 2->51 53 1009 other IPs or domains 2->53 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 21 other signatures 2->79 9 Bonelessness.exe 2 3 2->9         started        13 svchost.exe 66 2->13         started        signatures3 process4 file5 45 C:\Windows\apppatch\svchost.exe, PE32 9->45 dropped 47 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->47 dropped 81 Detected unpacking (changes PE section rights) 9->81 83 Detected unpacking (overwrites its own PE header) 9->83 85 Moves itself to temp directory 9->85 87 8 other signatures 9->87 15 svchost.exe 94 9->15         started        19 WerFault.exe 2 13->19         started        21 WerFault.exe 2 13->21         started        23 WerFault.exe 13->23         started        25 12 other processes 13->25 signatures6 process7 dnsIp8 59 pufyjag.com 15->59 61 lysynur.com 15->61 63 31 other IPs or domains 15->63 65 System process connects to network (likely due to code injection or exploit) 15->65 67 Detected unpacking (changes PE section rights) 15->67 69 Detected unpacking (overwrites its own PE header) 15->69 71 19 other signatures 15->71 27 JbrLYfXaOpqnSngA.exe 1 15->27 injected 30 JbrLYfXaOpqnSngA.exe 15->30 injected 32 JbrLYfXaOpqnSngA.exe 15->32 injected 34 13 other processes 15->34 signatures9 process10 signatures11 89 Monitors registry run keys for changes 27->89 91 Creates an autostart registry key pointing to binary in C:\Windows 27->91 93 Contains VNC / remote desktop functionality (version string found) 27->93 36 WerFault.exe 27->36         started        95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->95 97 Found direct / indirect Syscall (likely to bypass EDR) 30->97 38 WerFault.exe 34->38         started        41 WerFault.exe 34->41         started        43 WerFault.exe 34->43         started        process12 dnsIp13 55 pujylyv.com 38->55 57 qebyhuq.com 41->57
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51/
Threat name:
Win32.Trojan.Shiz
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 13:21:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw76lafni64mlga64oobwjtzappnlcek5e6eosyz4mprrsvalziq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240823-t9ylpsyblp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d2b6ff5-2fb1-4842-95f4-27f07042be4c
Unpacked files
SH256 hash:
e3fa2bf915789a2aa46a56188922f7c6e40c460b5f13366225e6103869c7bcff
MD5 hash:
e50057fdcabc7dea7d8670da2add7b0d
SHA1 hash:
55925abdbf3b90d7b538f796c2d009ccd9e60279
Detections:
Simda
Create hunting rule
win_simda_auto
Create hunting rule
win_simda_g0
Create hunting rule
win_simda_g1
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/4d5a6430-459e-4806-9b2d-ac6b896d1963/
Parent samples :
dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
03336e55e9bc4f0ae61098eeb358c36cf558683c457e7ccce374a61335df36d0
0954d357412d7bcccb3e28d9760e621a7c32a34626fa7fff0f4c101de53ddd05
0bdb5f7f03b6be6ad31a7397d265535ae95c85271d0345c6331e296ffaa09f17
14164234fdf8d6cf6d08ad2b1a5341fcabf6ecea1dc159f87af4fe164ef7c74a
19b249c8c048de11213666ae13cc1c62635dda37cf2a41b696dc0f946362cacf
217d3556de75c6ae83f565aad46e73a7ab892f1cbe3d2b55aa70d2112181e110
2c2e74c219be5698372888cca337abaed31d50b438596830d4c9043c04d6dea8
35972590b79eabb7394fa147b3dd64a8f3f7f0bddb82c527d87f345215c00e30
48f84d7d505f3a2ce61baa8e56dd0838d0b81a0103db009bfd5596fb3f62af4d
535b682938ea8f9ff66d4c75cf9dee36060ba4caf9713cadd4638e4adddbdde2
53c1854d8132616a67e0aceaa012cb8b760e6205d433f0e01aec35ef81cd505c
552b60239027f24fbfacaf9d7497a318f4ae89898c60338f68fcac18327cea88
59d16811cc0a1c0caf3a05f043818b61e3e99c6df7476e91f8bb8fa30e188043
61d8fb1f75b5f2a16cd31e459ca8d6a98fbdaaa73fa12598b359615adc938bf4
632a95a51b95ba00d06df6881c06a766e6e8496ed2fa070b810adc4b96012bb5
7264095b75d31b7ed0b80ecaa36f80ffcbdcedeac4d49c2a70ec684ee070140e
8032eeaa6fb612a56ab09e7469e264e4bb9186a0321e0b10cabec3aaa39a5a2f
8447097cbe5deca77a965ba8fdaa19270af3a686c4d8c64a6c4fb997a41fed12
88facdfb67f3a194192da9c690c1e9064218f86e90acdfe11c51c2fda18221b0
8d889a2aee7890a15ee20f20a1d8f1aded466f6c1c55ae571255ffca61066fad
8e2a2dc3cfb53da2352439b230ccf315c257ceb99e7c1cc99b48e41f435d7f51
9281131d1d575208074c69fb09ea2d0f912c98cc98f5dc7c2e331df1b426383a
a13b480f8be5a52bcb8a128e5da1b8738356c62830d1964423d77657ca1c9f55
a624205430cc2c2bfbac3f26744bc741dece39dc1b40f2f9c298b2355846300f
ab2530727d9438d1a32da7379b5795eb4053af832f5254e3d04a6d33c9b9ebd9
ab7b84926ba559386505018f1fea2512b6acffa61205c871d18c42c6621c2904
b0057b6c3a1c0b6da1c11ca0e74af354c848c6ce1f4abacbc9b44c32174619b1
b35935b1f0fc9cc104bd32a4e8410a6fe04e1b5b4ca714c918df55353435ef1a
b9cc8a804c0cc89e9f31c66e943408c76d35363ed664c87fe828efd0909ab87b
be8d0ec74025f2a531c7cc903be20131e47e2b54da9a0ed2a48af66d4cd66a74
bf279efd14dd25bcd0b9292c677df631b7d9520029e15f2d2b8cba49177fc3ef
c28b49bb5673deb40c8225c66e84a88306f2fc7be4e207a7cb668522e659ad2e
e3a917b9425e70c7fbe5e9c94578708ba62979569c18698a178d78dbc5f65c0e
eecfd380869328417580435ad8ac5db3b35ddfe2b0818e8e152218800178b468
SH256 hash:
67214544586d17b2c119920ec6a92776835e1ab09f0f34489d819ec2a8e1720b
MD5 hash:
24fac3845139a372434ba5ac8de637ae
SHA1 hash:
b0544507d0a6d7494671e899a03b9611b184d76f
Detections:
Simda
Create hunting rule
win_simda_auto
Create hunting rule
win_simda_g0
Create hunting rule
win_simda_g1
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/4d5a6430-459e-4806-9b2d-ac6b896d1963/
SH256 hash:
3f39516141ad577974a6959abaf0e353a78827e8b3d6445af04e485eb984d1ed
MD5 hash:
5d683c020a381bc5f737a5f94e612e11
SHA1 hash:
e2346cc7e0cdb5dac25cc10f13f9eaef5ff4e279
Detections:
Simda
Create hunting rule
win_simda_auto
Create hunting rule
win_simda_g0
Create hunting rule
win_simda_g1
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/4d5a6430-459e-4806-9b2d-ac6b896d1963/
SH256 hash:
55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51
MD5 hash:
475feaf47584ea0673437174181f5019
SHA1 hash:
be7f60898bf6e108aadc370b7ba9c3135bbfb4ee
Link:
https://www.unpac.me/results/4d5a6430-459e-4806-9b2d-ac6b896d1963/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55bfe580ad47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55bfe580ad47b8c5981ee39c1b267903ded5888ae93c474b19e31f18caa05e51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/6704ee3a-b139-4a61-9e9b-c139c8a50622

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::SHGetFileInfoW
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
WIN_CRYPT_APIUses Windows Crypt APIcrypt32.dll::CertDuplicateCRLContext
crypt32.dll::CertFindAttribute
crypt32.dll::CertFindChainInStore
crypt32.dll::CertGetCRLFromStore
crypt32.dll::CertGetIntendedKeyUsage
crypt32.dll::CryptBinaryToStringA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegOpenKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::AppendMenuW
user32.dll::CreateWindowExA

Comments