MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
SHA3-384 hash: b6033ffaa66b1204581f4ce40705189423072624e9c97b65563d65fdb1d66cd25553bc6ed66f214346c96d52bc10e212
SHA1 hash: 21e785efa513d9f76e04fdda348526d78d015171
MD5 hash: 6cb384125f31bd559502cdcc56f25e68
humanhash: victor-wolfram-finch-william
File name:21e785efa513d9f76e04fdda348526d78d015171.exe
Download: download sample
Signature Simda
Create hunting rule
File size:250'880 bytes
First seen:2024-11-11 16:50:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 70527f2eb8f7c61d13b2009a3286b536 (12 x Simda)
ssdeep 6144:V7HI/0S6GcV6yabg0OLe//fRD/uzc+8fJpgY08g:5H6b6GcV6wq/fJ/rDfJpgYE
Threatray 30 similar samples on MalwareBazaar
TLSH T14C34120FBB010F93D9B75E7BD8F2DF056A366087AF66C36F9B3010400E82682795B995
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000205 (5 x Simda)
Reporter NDA0E
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
21e785efa513d9f76e04fdda348526d78d015171.exe
Verdict:
Malicious activity
Analysis date:
2024-11-11 17:57:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09f7e923-1fce-4c83-9310-3889433f53ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Shiz-2730
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6732361eaf2d3dc89feecb32
Tags:
emotet simda shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Moving of the original file
Enabling autorun
Verdict:
Malicious
Labled as:
Emotet.Generic
Link:
https://www.hybrid-analysis.com/sample/94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e01ce07-fe81-4dc5-a89e-307dacaad9a6
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553781
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553781 Sample: jYCuKbE5wl.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 44 bloodguiltiness.com 2->44 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 18 other signatures 2->62 9 jYCuKbE5wl.exe 2 2 2->9         started        signatures3 process4 file5 40 C:\Windows\apppatch\svchost.exe, PE32 9->40 dropped 42 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->42 dropped 64 Detected unpacking (changes PE section rights) 9->64 66 Detected unpacking (overwrites its own PE header) 9->66 68 Moves itself to temp directory 9->68 70 8 other signatures 9->70 13 svchost.exe 1 61 9->13         started        signatures6 process7 dnsIp8 46 bloodguiltiness.com 15.197.130.221, 49752, 49753, 49754 TANDEMUS United States 13->46 72 System process connects to network (likely due to code injection or exploit) 13->72 74 Detected unpacking (changes PE section rights) 13->74 76 Detected unpacking (creates a PE file in dynamic memory) 13->76 78 17 other signatures 13->78 17 zDbORPfEqFEWY.exe 1 13 13->17 injected 20 zDbORPfEqFEWY.exe 13 13->20 injected 22 zDbORPfEqFEWY.exe 13->22 injected 24 8 other processes 13->24 signatures9 process10 signatures11 48 Monitors registry run keys for changes 17->48 50 Creates an autostart registry key pointing to binary in C:\Windows 17->50 52 Contains VNC / remote desktop functionality (version string found) 17->52 26 WerFault.exe 21 17->26         started        54 Found direct / indirect Syscall (likely to bypass EDR) 20->54 28 WerFault.exe 20->28         started        30 WerFault.exe 22->30         started        32 WerFault.exe 24->32         started        34 WerFault.exe 24->34         started        36 WerFault.exe 24->36         started        38 2 other processes 24->38 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2024-11-11 08:50:19 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=styooi4c4wllzs5xiqkt7s7eysmnwye4buboshan4l33qyeouqpq._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
Simda
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
Simda
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
Simda
7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
Simda
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
Simda
error
Simda
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241111-vcadaa1jh1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
Win.Trojan.Shiz-2730
YARA:
n/a
Link:
https://app.threat.zone/submission/3f52627d-940d-49fd-b49f-39a9b02594af
Unpacked files
SH256 hash:
e71db0672ff61df256f51ba11daf206c1664b3b48717a44c6de9548165c8f3d2
MD5 hash:
7212d202b9ca2128ba9103248359ff1b
SHA1 hash:
9e2714ef4cda285fb508ab46a398a40677c53e46
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/079f6499-b7a1-4e6f-9fe5-ba2fa3c83f00/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
137a4007392a58abb493d4f1035ac4d6d894d4f44ffa4d95cbebc13b948c0f45
MD5 hash:
f176f326210b0ed373602211b452a5ec
SHA1 hash:
4dbc0b9145012606d2fa9429220dc7fd6b0b1921
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/079f6499-b7a1-4e6f-9fe5-ba2fa3c83f00/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
075ab2bb754d712673ac5e93b7967ec685f633a91bdc2636220586b6a8958690
MD5 hash:
1f1f3f5a9efa134e41c762e51db53056
SHA1 hash:
b3436a863d11efc83f64e6e26a32e32c8aa7c8dd
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/079f6499-b7a1-4e6f-9fe5-ba2fa3c83f00/
SH256 hash:
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
MD5 hash:
6cb384125f31bd559502cdcc56f25e68
SHA1 hash:
21e785efa513d9f76e04fdda348526d78d015171
Link:
https://www.unpac.me/results/079f6499-b7a1-4e6f-9fe5-ba2fa3c83f00/
Malware family:
Shifu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94f0e72382e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::RegisterMediaTypeClass
URLMON.DLL::URLOpenStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::OpenSemaphoreA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegOpenKeyW
ADVAPI32.DLL::RegQueryInfoKeyW

Comments