MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
SHA3-384 hash: 7b8c2136efb1f0a2829660b5adeb10e85f444ddd6551a6e81a3dcdb9bcda428b4ea9d948492d878384f64b5f51097dbc
SHA1 hash: 911fa002cc7bc6a272ea82e5ba1e0fe96cc445d9
MD5 hash: 58dc09f0b28331ddb7a937e9566c068d
humanhash: timing-charlie-glucose-fix
File name:911fa002cc7bc6a272ea82e5ba1e0fe96cc445d9.exe
Download: download sample
Signature Simda
Create hunting rule
File size:250'880 bytes
First seen:2024-11-11 16:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 70527f2eb8f7c61d13b2009a3286b536 (12 x Simda)
ssdeep 6144:57HI/0S6GcV6yabg0OLe//fRD/uzc+8fJpgY08g:1H6b6GcV6wq/fJ/rDfJpgYE
Threatray 21 similar samples on MalwareBazaar
TLSH T1D034120FBB010F93D9B75E7BD8F2DF056A366087AF66C36F9B3010400E82682795B995
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000205 (5 x Simda)
Reporter NDA0E
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
911fa002cc7bc6a272ea82e5ba1e0fe96cc445d9.exe
Verdict:
Malicious activity
Analysis date:
2024-11-11 16:58:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9f214bd-e636-4349-9447-24b2f9f1e464

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Shiz-2730
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673236c1af2d3dc89feecc31
Tags:
emotet simda shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Moving of the original file
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67323644c9e5125dc6d53a08/reports/8da0888a-dfd3-4db7-b4c5-b6546135245c/overview
Verdict:
Malicious
Labled as:
Emotet.Generic
Link:
https://www.hybrid-analysis.com/sample/610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83a4c03e-e133-4e10-9938-f80d26bec2d9
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553884
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553884 Sample: 2m7DLHWhxp.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 38 bloodguiltiness.com 2->38 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 18 other signatures 2->58 9 2m7DLHWhxp.exe 2 2 2->9         started        signatures3 process4 file5 34 C:\Windows\apppatch\svchost.exe, PE32 9->34 dropped 36 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->36 dropped 60 Detected unpacking (changes PE section rights) 9->60 62 Detected unpacking (overwrites its own PE header) 9->62 64 Moves itself to temp directory 9->64 66 8 other signatures 9->66 13 svchost.exe 1 216 9->13         started        signatures6 process7 dnsIp8 40 bloodguiltiness.com 13->40 42 bloodguiltiness.com 15.197.130.221, 49723, 49724, 49730 TANDEMUS United States 13->42 68 System process connects to network (likely due to code injection or exploit) 13->68 70 Creates an undocumented autostart registry key 13->70 72 Contains VNC / remote desktop functionality (version string found) 13->72 74 4 other signatures 13->74 17 TKNURHgGGDNBaHxGtgAXz.exe 1 13->17 injected 20 TKNURHgGGDNBaHxGtgAXz.exe 13->20 injected 22 TKNURHgGGDNBaHxGtgAXz.exe 13->22 injected 24 12 other processes 13->24 signatures9 process10 signatures11 44 Monitors registry run keys for changes 17->44 46 Creates an autostart registry key pointing to binary in C:\Windows 17->46 48 Contains VNC / remote desktop functionality (version string found) 17->48 26 WerFault.exe 23 17->26         started        50 Found direct / indirect Syscall (likely to bypass EDR) 20->50 28 WerFault.exe 21 24->28         started        30 WerFault.exe 24->30         started        32 WerFault.exe 24->32         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2024-11-11 14:31:43 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=meg7kdkuxn36zlstuzfsakr6ahu3sfdnt22ojmz3zt7k5fhrsana._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
Simda
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
Simda
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
Simda
7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
Simda
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
Simda
error
Simda
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241111-vdg5hs1kds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
Win.Trojan.Shiz-2730
YARA:
n/a
Link:
https://app.threat.zone/submission/475bd3d8-2a96-44d1-9877-f1f9eb49efbb
Unpacked files
SH256 hash:
e71db0672ff61df256f51ba11daf206c1664b3b48717a44c6de9548165c8f3d2
MD5 hash:
7212d202b9ca2128ba9103248359ff1b
SHA1 hash:
9e2714ef4cda285fb508ab46a398a40677c53e46
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/c6fa0d54-7573-40ce-a56e-070084cf6a4c/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
137a4007392a58abb493d4f1035ac4d6d894d4f44ffa4d95cbebc13b948c0f45
MD5 hash:
f176f326210b0ed373602211b452a5ec
SHA1 hash:
4dbc0b9145012606d2fa9429220dc7fd6b0b1921
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/c6fa0d54-7573-40ce-a56e-070084cf6a4c/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
6f92b2fcc084f5d12c244ee6a41b369a539d51d526d4895637344846af453365
MD5 hash:
c550ab819e6f4aa849298e53ac6be975
SHA1 hash:
67ce1b52b84c43eb3f066c1ecde529a5b17c4642
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/c6fa0d54-7573-40ce-a56e-070084cf6a4c/
SH256 hash:
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
MD5 hash:
58dc09f0b28331ddb7a937e9566c068d
SHA1 hash:
911fa002cc7bc6a272ea82e5ba1e0fe96cc445d9
Link:
https://www.unpac.me/results/c6fa0d54-7573-40ce-a56e-070084cf6a4c/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/610df50d54bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::RegisterMediaTypeClass
URLMON.DLL::URLOpenStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::OpenSemaphoreA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegOpenKeyW
ADVAPI32.DLL::RegQueryInfoKeyW

Comments