MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SimpleHelp


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559
SHA3-384 hash: 8a78000fd1775863313201548c5fe6e4487968cd54c0a21e748f9a701d8da36896ed260048f9be0fb3758000f35c4cc6
SHA1 hash: 30e6de1b6ecf2c47e8cc1e5f8a80307ad03fbfd9
MD5 hash: 8258ed904f338c121c794b5b51c6ba3b
humanhash: xray-thirteen-twelve-autumn
File name:SecuriteInfo.com.Trojan.Siggen21.26234.28756.2536
Download: download sample
Signature SimpleHelp
Create hunting rule
File size:7'330'408 bytes
First seen:2024-04-03 04:17:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bf1fc659e1e270e26d98d8a21b8f037 (10 x SimpleHelp)
ssdeep 196608:ybGcN/2zfjsegfhjXJ9S6sQVyIVACj6m5b9bvMKaO9z:EGpzfjSZZI63V/VGm5biw9
Threatray 22 similar samples on MalwareBazaar
TLSH T11F762378E7E15CB9DF37A6BCD08A44ABA757B8A603C4026317F185E28F613D0542EF19
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 70fcb0b0b0b0f87c (28 x SimpleHelp, 10 x CobaltStrike)
Reporter SecuriteInfoCom
Tags:exe signed SimpleHelp

Code Signing Certificate

Organisation:SimpleHelp Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-01T00:00:00Z
Valid to:2024-02-29T23:59:59Z
Serial number: 4bc2e5bbf245c046a66d2b46976d5411
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5680ca7a6616f2a2a33a20f5205383b224b09f4369f2b80736bd505fa9708ec9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559.exe
Verdict:
Malicious activity
Analysis date:
2024-04-03 04:18:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13849f8e-e95a-49f2-a77a-f1348ffe0263

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Moving a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Replacing files
Launching a process
Moving a file to the Program Files subdirectory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin masquerade overlay packed remote shell32
Link:
https://www.filescan.io/uploads/660cd87fec04992a87d93082/reports/8d5d0a53-3fe0-44f1-9d28-1f3ecfd49962/overview
Verdict:
Malicious
Labled as:
Tool.Remsim.Win64
Link:
https://www.hybrid-analysis.com/sample/677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd7e57a7-b83a-4b87-8cfe-3c821075037f
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1419142
Signature
Contains VNC / remote desktop functionality (version string found)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1419142 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 03/04/2024 Architecture: WINDOWS Score: 48 59 support.screaming-tech.com 2->59 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for submitted file 2->65 9 SecuriteInfo.com.Trojan.Siggen21.26234.28756.2536.exe 282 2->9         started        signatures3 process4 dnsIp5 61 support.screaming-tech.com 45.55.175.227, 49735, 49736, 49737 DIGITALOCEAN-ASNUS United States 9->61 43 C:\ProgramData\...\en.txt, ASCII 9->43 dropped 45 C:\...\Remote AccessWinLauncher.exe, PE32+ 9->45 dropped 47 C:\ProgramData\...\session_win.exe, PE32 9->47 dropped 49 56 other files (none is malicious) 9->49 dropped 67 Writes a notice file (html or txt) to demand a ransom 9->67 69 Contains VNC / remote desktop functionality (version string found) 9->69 14 Remote Access.exe 9->14         started        17 icacls.exe 1 9->17         started        19 icacls.exe 1 9->19         started        21 18 other processes 9->21 file6 signatures7 process8 file9 51 C:\ProgramData\...\winpty-agent64.exe, PE32+ 14->51 dropped 53 C:\...\utils_wnative_winpty_intel-64.dll, PE32+ 14->53 dropped 55 C:\...\utils_wnative_shpty_intel-64.dll, PE32+ 14->55 dropped 57 6 other files (none is malicious) 14->57 dropped 23 icacls.exe 14->23         started        25 icacls.exe 14->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        37 conhost.exe 21->37         started        process10 process11 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started       
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m56cgyceqy3fpl3oxkhvvweuhsecohujko357yjqstiumsoi4vmq._file
Verdict:
unknown
Similar samples:
2fc4d9ebb218aa23eb3a7a4d4068daa9c6957c79f6676480284ee7384940e9b9
SimpleHelp
73fea0c02f6ed48b09c98c3110f671c248f4d8c251e17218a66124e4969c57e9
SimpleHelp
7a239a87c0785429e4ac4b42b826c7157244c565b5b97f0f43272fdbc125ec9a
SimpleHelp
9527343296da11d1c6db18242779b3e604771b8806f19d89ad8d5f24c0425813
SimpleHelp
d10d994466e97fb43a0a94a427cefd551f2a256f51cef137745d2a3e049dfe27
SimpleHelp
d4ac404c10af09a4fbeb91e2abcefc55fe3bb913316f019b3dbf740c6dc232d5
SimpleHelp
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/240403-ewyxzsfh2t/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559
MD5 hash:
8258ed904f338c121c794b5b51c6ba3b
SHA1 hash:
30e6de1b6ecf2c47e8cc1e5f8a80307ad03fbfd9
Link:
https://www.unpac.me/results/374511f9-ae17-4739-9c2e-e0899211d959/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/677c236044863657af6eba8f5ad8943c88271e8953b7dfe13094d14649c8e559

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertStringSidToSidA
ADVAPI32.dll::EqualSid
ADVAPI32.dll::GetExplicitEntriesFromAclA
ADVAPI32.dll::GetNamedSecurityInfoA
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoA
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
WININET.dll::InternetCloseHandle
WINHTTP.dll::WinHttpCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll::WinHttpGetProxyForUrl
WINHTTP.dll::WinHttpOpen
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments