MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
SHA3-384 hash:	8180047ee4876f406a40d199a64681bee39cdfffb7fe80d7b6f02f7c8e2197a98a20da531aba47df635e3897f5dc28e3
SHA1 hash:	78f2eba84b5b61886a2444c47ae42ae89efa02d4
MD5 hash:	71db30d5db50af8adec8fa9c24ce9860
humanhash:	don-comet-carpet-iowa
File name:	unrepellent.exe
Download:	download sample
Signature	Simda Create hunting rule
File size:	249'856 bytes
First seen:	2024-07-08 02:41:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25724a12bec6f765c371201f99ac92be (12 x Simda)
ssdeep	6144:9EXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:eAylvv5YRwh9HYd61xhmX
TLSH	T19B3412C7A1482CE1C4400A3389FEE7415E3DF9492F5AD4FBDB984119AFA8A917F3521E
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0000000000000102 (12 x Simda)
Reporter	adm1n_usa32
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

401

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

unrepellent.exe

Verdict:

Malicious activity

Analysis date:

2024-07-08 02:40:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a431bbdb-4ac8-41e4-9f86-579d0213189a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Shiz-1268

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=668b51fb27fa347bfaae802cwin10vpnfull_triage

Tags:

Encryption Generic Infostealer Network Stealth Trojan Shiz

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Sending an HTTP GET request

Moving of the original file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

ibank overlay shiz tdss

Link:

https://www.filescan.io/uploads/668b51fcbb965284a1c57be9/reports/b642938b-3970-4180-91e8-094ede195b19/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/760a9043-8fa0-433f-b835-730721b7735a

Result

Threat name:

Simda Stealer

Detection:

malicious

Classification:

bank.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1468848

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks if browser processes are running

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Contains VNC / remote desktop functionality (version string found)

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after checking volume information)

Found evasive API chain checking for user administrative privileges

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Moves itself to temp directory

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Simda Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3/

Threat name:

Win32.Infostealer.Simda

Status:

Malicious

First seen:

2024-07-04 17:22:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5l5gsvrmwcn2tuoqsj43knsfi53mbijhewcneeb55y76dpb3gzq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/240708-c61hfs1ckb/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon for persistence

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c85dd382-d599-4a2c-9dcb-7bbb82e33ca7

Unpacked files

SH256 hash:

d677576875d320a35f2063fe0b5de93b8359c3f0314ff467f0b290787adf473b

MD5 hash:

f8e0fd8eb39d836af52b0abec3d46c96

SHA1 hash:

590224d05d503dd95f18254db7c609cf5e73bdab

Detections:

Simda

Link:

https://www.unpac.me/results/3f2d83e2-d8f7-4a13-b0bc-ab81c21e457f/

SH256 hash:

5d4d7bb2189c51c679cb2d630eb86b6a9325d30f4a16187ecad4cc63b3686328

MD5 hash:

c8e97692386ae0104e9dbc8e63ee159b

SHA1 hash:

1c926a52144a283bf41596a4eb11538a3744b9cd

Detections:

Simda

Link:

https://www.unpac.me/results/3f2d83e2-d8f7-4a13-b0bc-ab81c21e457f/

Parent samples :

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
35afd034be5c169a9ce512e33beebfc34f8cb9cf564d706a3a6ec5faf2f683d4
4186ff44e98f32b3bcef01c4f1636236c239c77d3130f442505fd935b0fb22e5
4706bfd51c7f6d36e99f8edb5554f48f57d68629f88d0fae4d2cd485529d37b7
84ffe34ab9cbf7135b3608d048a20c739c611e38dac0e1d5914fc9335de968b9
8844a1dd4728ebfec6e107268e57ef28a1ca0dea117627b3043d7e5fab5a60e4
91dd8558fa3d3283e71559a63d8b4cc8efa140111721b8b01a6fe052f95ba89d
9d4a0c43dd80ba30f6ead70c3d5046b1efdd5f408d99a179ecc6e42eb3eaf1b1
a010249235149bde5db560cfe16a6355bb81eecda75c9c0f741f203587116afa
a21eb5da7bb5b87ac5545aadbc5a9dc762acf6c3bd2b13ba202e781341fc4393
f8adb99924cf781199cf6fa0acdcfd7317cbbca4b44a141f67af2f663a429e2e

SH256 hash:

5ea336d33a45dc734249a745aef9e75fba78e5ff6213473ed264c2141700f22d

MD5 hash:

28e9f6de47e4a0cd351aab3da3047765

SHA1 hash:

4308ffa8738597920be89b30ca7dbd7de870c97f

Detections:

Simda

Link:

https://www.unpac.me/results/3f2d83e2-d8f7-4a13-b0bc-ab81c21e457f/

SH256 hash:

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3

MD5 hash:

71db30d5db50af8adec8fa9c24ce9860

SHA1 hash:

78f2eba84b5b61886a2444c47ae42ae89efa02d4

Link:

https://www.unpac.me/results/3f2d83e2-d8f7-4a13-b0bc-ab81c21e457f/

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7757d34ab165/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::IsValidAcl
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::CreateFiber kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA ole32.dll::CreateFileMoniker kernel32.dll::ReplaceFileA kernel32.dll::GetFileAttributesW kernel32.dll::GetTempFileNameW kernel32.dll::GetTempPathA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyW advapi32.dll::RegRestoreKeyA
WIN_USER_API	Performs GUI Actions	user32.dll::CreateMenu

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample