MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SimpleHelp


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
SHA3-384 hash: 8be78f3f932a3f2cd4e01e6319414a0ed6b5b520bf44a5f25d833b10cf15ee1ade2b6f75c82973dff64cb0846bb7a690
SHA1 hash: 23b444193115284810fa7e8c6781344703d4c0ab
MD5 hash: f63f86cf25891f8609e5523545d46a03
humanhash: blue-zulu-one-nevada
File name:Statement.exe
Download: download sample
Signature SimpleHelp
Create hunting rule
File size:1'721'928 bytes
First seen:2026-01-12 14:14:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e73f0b1ba8e9ea271385585fb4d5c02 (11 x SimpleHelp)
ssdeep 49152:MOlCQ8msodjHF2bg2h0kSKX15dIpRkud5ou/btE:PXJrVRR75ou/W
Threatray 94 similar samples on MalwareBazaar
TLSH T1DA85C034E6A15DBDCF37AAFCD08E44DB979BB9A203C5012717F086D68B613D0542EE29
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Anonymous
Tags:exe signed SimpleHelp

Code Signing Certificate

Organisation:SimpleHelp Ltd
Issuer:thawte SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2018-01-16T00:00:00Z
Valid to:2021-03-16T23:59:59Z
Serial number: 51f83a8f29e96230568fbf2b05c27c77
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8db44d50b25ba747234dfc8a4590a5790f331fb0022f61b0b660fa17b9bad752
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647.exe
Verdict:
Malicious activity
Analysis date:
2026-01-12 14:17:10 UTC
Tags:
simplehelp rmm-tool
Link:
https://app.any.run/tasks/80dc5431-6b24-48aa-a0e9-fc236aedf105

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48622/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69650230946a855b103e87e1
Tags:
injection obfusc sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context base64 expired-cert fingerprint masquerade microsoft_visual_cc overlay overlay signed
Link:
https://www.filescan.io/uploads/69650217d1d688e1d664faa5/reports/c6b85176-4f12-44ff-9f6b-05972afefe91/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
Verdict:
Clean
File Type:
PE
First seen:
2026-01-12T11:56:00Z UTC
Last seen:
2026-01-14T02:29:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647/results?tab=lookup
Malware family:
SimpleHelp Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fcbff299-fa7e-43c9-a90f-4c16b3981863
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f63f86cf25891f8609e5523545d46a03
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647/
Verdict:
Malicious
Threat:
RemoteAdmin.Win64.Remsim
Link:
https://tip.neiki.dev/file/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omsv3jf3p6fptlea32adxbwi7aehlh2xs2my5efkukxzi2qsszdq._file
Verdict:
malicious
Label(s):
admintool_simplehelp
Create hunting rule
Similar samples:
1d187bb535c861d8cd346246941e8d58091f65b4b718cd93e1ded1f3f85efbda
SimpleHelp
1dc76cd2c0c2d125b65e20a7d579e9f6098f4622588a53849251f0a36651ef8a
SimpleHelp
2d1a556a602ef663fc5c2ddb604ad3b7b4ed4cb082ecbf462364579532e2fbf4
SimpleHelp
422209eb15277197588269c31e403cfd14c141abd525c212d65fcf4fb46c3f50
SimpleHelp
73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
SimpleHelp
b80792b49a6d96869442a21ecaf09e6c68bf2ef4c9c161932c6f8ac8658c23ad
SimpleHelp
e9c590f63d01ad5ac273953c5dab1d7a97d63faa3447f80963a23816cbb89aab
SimpleHelp
error
SimpleHelp
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260112-rkzflads2h/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6c064a8-defe-4552-9870-a5455457d56c
Unpacked files
SH256 hash:
73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647
MD5 hash:
f63f86cf25891f8609e5523545d46a03
SHA1 hash:
23b444193115284810fa7e8c6781344703d4c0ab
Link:
https://www.unpac.me/results/1b21ba7e-cdd6-4536-9985-f7cc4b11fd85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73255da4bb7f8af9ac80de803b86c8f808759f5796998e90aaa2af946a129647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48622/

Comments