MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1805c2e5c5236abf7dfa8c1edb4306e5d0eb518688aba5f2a1c74bd4db53454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Simda


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1805c2e5c5236abf7dfa8c1edb4306e5d0eb518688aba5f2a1c74bd4db53454
SHA3-384 hash: 387d69474068f180ea1f74fffb1eb00433a3d61b39e0e5184304f9b38f0217441375f391fd7aec57c18a5bc96ec99615
SHA1 hash: fd6b3b2ea9ad39d28855d81532a80db7287be801
MD5 hash: 3ee2c0a5e02e4fa9998e3dc37346b85f
humanhash: nuts-fish-wolfram-island
File name:3ee2c0a5e02e4fa9998e3dc37346b85f.vir
Download: download sample
Signature Simda
Create hunting rule
File size:2'184'192 bytes
First seen:2022-05-26 08:07:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 173abfa8f7d7adac2a90a2e42625b7d9 (27 x Simda, 6 x GuLoader)
ssdeep 49152:mmV2AprmV2ApkmV2AprmV2ApkmV2AprmV2Ap8:mm/mIm/mIm/mQ
Threatray 12'814 similar samples on MalwareBazaar
TLSH T19EA58E21F1C0807AE4F5157096FF7A5B246CA9B6472838D7E7986EC928741F27A3C2C7
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter KdssSupport
Tags:exe Shiz Simda

Intelligence

File Origin
# of uploads :
1
# of downloads :
512
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
shiz
Create hunting rule
ID:
1
File name:
3ee2c0a5e02e4fa9998e3dc37346b85f.vir
Verdict:
Malicious activity
Analysis date:
2022-05-26 08:00:42 UTC
Tags:
trojan shiz simda sinkhole
Link:
https://app.any.run/tasks/25b4d7e8-a745-4a42-9f6c-c4ba7bfb3a4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274679/
Detection(s):
Win.Trojan.Shiz-9885535-0
Create hunting rule

Win.Trojan.Shiz-9949267-0
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.KillMBR.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.StrongPity.UNOFFICIAL
Create hunting rule

Win.Trojan.Generic-6323528-0
Create hunting rule

Win.Trojan.7348569-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Searching for the anti-virus window
Moving of the original file
Query of malicious DNS domain
Enabling autorun
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe control.exe evasive explorer.exe greyware hacktool ibank keylogger overlay packed remote.exe shell32.dll shifu shiz simda spyeye
Link:
https://www.filescan.io/uploads/628f35643ec49f83a6cd3147/reports/51eba079-8a7d-499b-b090-b6c24848984d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Simda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b7d1fef-7453-4b0a-ab7c-dd2292c6a141
Result
Threat name:
Simda Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001994
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking volume information)
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to resolve many domain names, but no domain seems valid
Yara detected Simda Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1805c2e5c5236abf7dfa8c1edb4306e5d0eb518688aba5f2a1c74bd4db53454/
Threat name:
Win32.Trojan.Shiz
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 02:25:17 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1f5d1a6e5b8348de9ce67d1dc9b1df3b54d85993f57b40d89eee35cba911f13c
Simda
2ed58cba6fbba892cde349ea6759ddbe197bcc1adf9c55801b30ccd3d28ec55f
Simda
347ec9d5455536ace4c650476001fb0511d5ea5f734a951b523ade3001472dd4
Simda
68e7c82cc5535b87b0e1310f9a054432944b6efa0471e2b03101554bdf7decc2
Simda
7b673f65dfb02aea2b7fe950c749c17a953d2b9514aa78c663aac6c002b6bf6b
Simda
8ce080d9cde54a6655f0af9fb4e1630bbcb1164843d4f7f7da54d49bb1264f2c
Simda
9b322d3c3a5bd842ae2563f5eb2ae4cf7957132311ccf051d7bfeb4601866a33
Simda
a823a4702ff08fa0b0b70a2f781fe36db904ec2d975f58a5f9d44e85f4b85740
Simda
b1a72877c41f16f08ed32ff3d01ed51489c5a2e358f2866bceefd0e60156ed0a
Simda
dadd0d7d480d15bb718d82ff012ace97f16fb4a2a6862dc5ad04e9b2b95380cc
Simda
+ 12'804 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220526-j1jq3sdeep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Modifies WinLogon
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Wapack Labs Sinkhole DNS Reply
Unpacked files
SH256 hash:
c1805c2e5c5236abf7dfa8c1edb4306e5d0eb518688aba5f2a1c74bd4db53454
MD5 hash:
3ee2c0a5e02e4fa9998e3dc37346b85f
SHA1 hash:
fd6b3b2ea9ad39d28855d81532a80db7287be801
Detections:
win_simda_g0
Create hunting rule
win_simda_g1
Create hunting rule
Link:
https://www.unpac.me/results/f0fe15d6-62a3-4113-9218-638618a428a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1805c2e5c5236abf7dfa8c1edb4306e5d0eb518688aba5f2a1c74bd4db53454

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274679/

Comments