MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
SHA3-384 hash: 75df0bb898a9b1eafa8a8117010316e40372551a11c14c5e1639c0c79997dd370eafa52210288e48d3689d389cf6dbcc
SHA1 hash: fd4e96372f1e4957ed761e11fb885715cd30bba8
MD5 hash: 470acf531aa68ba154781b9886bb8f53
humanhash: monkey-finch-carbon-triple
File name:fd4e96372f1e4957ed761e11fb885715cd30bba8.exe
Download: download sample
Signature Simda
Create hunting rule
File size:250'880 bytes
First seen:2024-11-11 16:52:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 70527f2eb8f7c61d13b2009a3286b536 (12 x Simda)
ssdeep 6144:O7HI/0S6GcV6yabg0OLe//fRD/uzc+8fJpgY08g:gH6b6GcV6wq/fJ/rDfJpgYE
Threatray 8 similar samples on MalwareBazaar
TLSH T1B534120FBB010F93D9B75E7BD8F2DF056A366087AF66C36F9B3010400E82682795B995
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000205 (5 x Simda)
Reporter NDA0E
Tags:exe Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd4e96372f1e4957ed761e11fb885715cd30bba8.exe
Verdict:
Malicious activity
Analysis date:
2024-11-11 18:14:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/996c689f-7db5-43de-9e1a-d2c45fbe9fa7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Shiz-2730
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67323752af2d3dc89feecd35
Tags:
emotet simda shiz
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Moving of the original file
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6732368a2a545f57a908ecfb/reports/f2de3b8a-69b1-40f3-bf88-b65ec730348b/overview
Verdict:
Malicious
Labled as:
Emotet.Generic
Link:
https://www.hybrid-analysis.com/sample/97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b147faf-f34e-4b0f-b318-2ab299ef0f05
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553844
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553844 Sample: 2w6qmU17rQ.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 50 bloodguiltiness.com 2->50 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 19 other signatures 2->60 9 2w6qmU17rQ.exe 2 2 2->9         started        signatures3 process4 file5 46 C:\Windows\apppatch\svchost.exe, PE32 9->46 dropped 48 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->48 dropped 70 Detected unpacking (changes PE section rights) 9->70 72 Detected unpacking (overwrites its own PE header) 9->72 74 Moves itself to temp directory 9->74 76 8 other signatures 9->76 13 svchost.exe 1 15 9->13         started        17 WerFault.exe 2 9->17         started        19 WerFault.exe 2 9->19         started        21 10 other processes 9->21 signatures6 process7 dnsIp8 52 bloodguiltiness.com 15.197.130.221, 49735, 49736, 49737 TANDEMUS United States 13->52 78 Antivirus detection for dropped file 13->78 80 System process connects to network (likely due to code injection or exploit) 13->80 82 Creates an undocumented autostart registry key 13->82 84 6 other signatures 13->84 23 bHiNMWJrBweJYhXTYEHkKyEmAk.exe 1 13->23 injected 26 bHiNMWJrBweJYhXTYEHkKyEmAk.exe 13 13->26 injected 28 bHiNMWJrBweJYhXTYEHkKyEmAk.exe 13->28 injected 30 10 other processes 13->30 signatures9 process10 signatures11 62 Monitors registry run keys for changes 23->62 64 Creates an autostart registry key pointing to binary in C:\Windows 23->64 66 Contains VNC / remote desktop functionality (version string found) 23->66 32 WerFault.exe 21 23->32         started        68 Found direct / indirect Syscall (likely to bypass EDR) 26->68 34 WerFault.exe 4 21 26->34         started        36 WerFault.exe 28->36         started        38 WerFault.exe 30->38         started        40 WerFault.exe 30->40         started        42 WerFault.exe 30->42         started        44 3 other processes 30->44 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2024-11-11 08:56:30 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7zeznxltwqnqhmzqj7e43evrljegc4v3twhivfiww6lmtczngfa._file
Verdict:
malicious
Label(s):
simda
Create hunting rule
Similar samples:
0ab14e5e55d5cbc5d885e5454807bca2cec4e9a912deee7fdcea8f8005f74cf1
Simda
1002ab36c33691f640e0a523b31506eab3e0fa25a9ded356bea687571e44a5bb
Simda
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
Simda
5d82a59f375675deb147be2c550e8088e5d832162bd4c8fbabb66afd9068c661
Simda
7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
Simda
c57280002b5de677646d0b0aca6810ef7d29264c3375c6242497044de33b7aca
Simda
error
Simda
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241111-vd4zaavnhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
Win.Trojan.Shiz-2730
YARA:
n/a
Link:
https://app.threat.zone/submission/8e766316-4c8a-49a1-b7b4-a79c4c8fb3e4
Unpacked files
SH256 hash:
e71db0672ff61df256f51ba11daf206c1664b3b48717a44c6de9548165c8f3d2
MD5 hash:
7212d202b9ca2128ba9103248359ff1b
SHA1 hash:
9e2714ef4cda285fb508ab46a398a40677c53e46
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/9a28ef4d-9328-4a7d-be70-04253b7e67e3/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
137a4007392a58abb493d4f1035ac4d6d894d4f44ffa4d95cbebc13b948c0f45
MD5 hash:
f176f326210b0ed373602211b452a5ec
SHA1 hash:
4dbc0b9145012606d2fa9429220dc7fd6b0b1921
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/9a28ef4d-9328-4a7d-be70-04253b7e67e3/
Parent samples :
94f0e72382e596bccbb744153fcbe4c498db609c0d02e91c0de2f7b8608ea41f
3a126f1a2bac426d774820f1a90ce69a2f599dc979982783b76d431fc5c85590
56c87a1185ed6a8e688dfb9f658b651912c88f30b3001c89887fc7e91514fc8a
610df50d54bb77ecae53a64b202a3e01e9b9146d9eb4e4b33bccfeae94f1901a
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
1a5330f926728c43c8e020616d36fefe7f2df921192dc5e71a118990984825f4
1bb2da09029526b71ad43ac6b569c65fa9b1fa1bd3a5679416a390b463175aa1
4fd57c988fd17b5a088d2eb105fa3ec0df45e718287b470edff69c2666fd278c
9b2ce79be909946c789643aebbff5046932887905d2858edf58ed525881dffe4
e9832e8d7af48043c812baf392aae9f986075d4fabbc0d4a25ecc7fc565e11a4
e9a66b32208f9aa932b25cebca04e3215fa39369639d54e444922fb2f3c41bbe
f586373f169d5fd0d3d652596bb10d283abd18858ffd27cd48675b84a339964d
SH256 hash:
359fb52dad0b964f8f39802987be00969726c92a83cc754c2e932170025ff4b5
MD5 hash:
3d37a9889c74304a9d001f818fcf1152
SHA1 hash:
a8090a4de2eb22677b8f56161d890cd41b93a740
Detections:
Simda
Create hunting rule
MALWARE_Win_Simda
Create hunting rule
Link:
https://www.unpac.me/results/9a28ef4d-9328-4a7d-be70-04253b7e67e3/
SH256 hash:
97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a
MD5 hash:
470acf531aa68ba154781b9886bb8f53
SHA1 hash:
fd4e96372f1e4957ed761e11fb885715cd30bba8
Link:
https://www.unpac.me/results/9a28ef4d-9328-4a7d-be70-04253b7e67e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97f24cb6eb9da0d81d99827e4e6c958ad2430b95dcec7454a8b5bcb64c59698a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::RegisterMediaTypeClass
URLMON.DLL::URLOpenStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::OpenSemaphoreA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegOpenKeyW
ADVAPI32.DLL::RegQueryInfoKeyW

Comments