MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
SHA3-384 hash: b5ecc5126a7162832e1c7a45703427622191ce1fc522f7f4fd2557fbd8d4ac30fa3f61cc2d1ab3b5e951280d4e18dcb0
SHA1 hash: 805b99d72f181a81f2627652cd1a28e4b74d3071
MD5 hash: ec9de179c2f0152454a02bf698482773
humanhash: lima-beer-fifteen-pennsylvania
File name:805b99d72f181a81f2627652cd1a28e4b74d3071.exe
Download: download sample
Signature Simda
Create hunting rule
File size:250'880 bytes
First seen:2024-11-11 16:51:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 70527f2eb8f7c61d13b2009a3286b536 (12 x Simda)
ssdeep 6144:O7HI/0S6GcV6yabg0OLe//fRD/uzc+8fJpgY08g:gH6b6GcV6wq/fJ/rDfJpgYE
Threatray 7 similar samples on MalwareBazaar
TLSH T14234120FBB010F93D9B75E7BD8F2DF056A366087AF66C36F9B3010400E82682795B995
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000205 (5 x Simda)
Reporter NDA0E
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
805b99d72f181a81f2627652cd1a28e4b74d3071.exe
Verdict:
Malicious activity
Analysis date:
2024-11-11 17:07:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eee6fc1a-ea64-4ae5-84fc-152097aa9e6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Shiz-2730
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673236b6af2d3dc89feecc08
Tags:
emotet simda shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Moving of the original file
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6732363d2a545f57a908ecb2/reports/188f862d-44e6-4502-aee0-7459dfbe49b1/overview
Verdict:
Malicious
Labled as:
Emotet.Generic
Link:
https://www.hybrid-analysis.com/sample/56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/952a8e9a-c7dd-4239-a094-76d95cf4e145
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553896
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553896 Sample: uXK5hq53r7.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 38 bloodguiltiness.com 2->38 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 18 other signatures 2->56 9 uXK5hq53r7.exe 2 2 2->9         started        signatures3 process4 file5 34 C:\Windows\apppatch\svchost.exe, PE32 9->34 dropped 36 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->36 dropped 58 Detected unpacking (changes PE section rights) 9->58 60 Detected unpacking (overwrites its own PE header) 9->60 62 Moves itself to temp directory 9->62 64 8 other signatures 9->64 13 svchost.exe 1 58 9->13         started        signatures6 process7 dnsIp8 40 bloodguiltiness.com 15.197.130.221, 49707, 49708, 49710 TANDEMUS United States 13->40 66 System process connects to network (likely due to code injection or exploit) 13->66 68 Detected unpacking (changes PE section rights) 13->68 70 Detected unpacking (overwrites its own PE header) 13->70 72 17 other signatures 13->72 17 EneYSJSddIVqZLAxvFtC.exe 1 13->17 injected 20 EneYSJSddIVqZLAxvFtC.exe 13 13->20 injected 22 EneYSJSddIVqZLAxvFtC.exe 13->22 injected 24 9 other processes 13->24 signatures9 process10 signatures11 42 Monitors registry run keys for changes 17->42 44 Creates an autostart registry key pointing to binary in C:\Windows 17->44 46 Contains VNC / remote desktop functionality (version string found) 17->46 26 WerFault.exe 21 17->26         started        48 Found direct / indirect Syscall (likely to bypass EDR) 20->48 28 WerFault.exe 20->28         started        30 WerFault.exe 22 24->30         started        32 WerFault.exe 24->32         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2024-11-11 14:18:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3ehuemf5vvi42en7opwlc3fdejmrdzqwmabzcmip7d6sfiu7sfa._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
0ab14e5e55d5cbc5d885e5454807bca2cec4e9a912deee7fdcea8f8005f74cf1
Simda
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
Simda
5d82a59f375675deb147be2c550e8088e5d832162bd4c8fbabb66afd9068c661
Simda
7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
Simda
c57280002b5de677646d0b0aca6810ef7d29264c3375c6242497044de33b7aca
Simda
error
Simda
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241111-vdgtra1kcy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
Win.Trojan.Shiz-2730
YARA:
n/a
Link:
https://app.threat.zone/submission/faf133bf-cc7d-4061-8931-9820dbe2879d
Unpacked files
SH256 hash:
e71db0672ff61df256f51ba11daf206c1664b3b48717a44c6de9548165c8f3d2
MD5 hash:
7212d202b9ca2128ba9103248359ff1b
SHA1 hash:
9e2714ef4cda285fb508ab46a398a40677c53e46
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/42d6dc2c-3ae5-428d-b021-e4047dff6ff5/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
137a4007392a58abb493d4f1035ac4d6d894d4f44ffa4d95cbebc13b948c0f45
MD5 hash:
f176f326210b0ed373602211b452a5ec
SHA1 hash:
4dbc0b9145012606d2fa9429220dc7fd6b0b1921
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/42d6dc2c-3ae5-428d-b021-e4047dff6ff5/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
dcc591de7557c6f48ca291f153f426585fa5291f3ee4868cee8e7e1e721a6fb4
MD5 hash:
2f4130660199b8901028919c332a2b5a
SHA1 hash:
b5dd4d2e84fb8a0e98d69a9bfd86047e1d0fed7e
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/42d6dc2c-3ae5-428d-b021-e4047dff6ff5/
SH256 hash:
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
MD5 hash:
ec9de179c2f0152454a02bf698482773
SHA1 hash:
805b99d72f181a81f2627652cd1a28e4b74d3071
Link:
https://www.unpac.me/results/42d6dc2c-3ae5-428d-b021-e4047dff6ff5/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56c87a1185ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::RegisterMediaTypeClass
URLMON.DLL::URLOpenStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::OpenSemaphoreA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegOpenKeyW
ADVAPI32.DLL::RegQueryInfoKeyW

Comments