MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Simda

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c
SHA3-384 hash:	a21968779217110476504ab0cba1be0e4962c9324391245fce3b2d919d2a94009dafb1846cbf0df2b11875ba05bdcabc
SHA1 hash:	3c8cdf195e5d2ff97524c60edbcf7c1f4c58a87f
MD5 hash:	e4311ab08f705b3b150e1be181c9e260
humanhash:	purple-angel-lima-missouri
File name:	HEUR-Backdoor.Win32.Generic-90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c
Download:	download sample
Signature	Simda Create hunting rule
File size:	2'184'192 bytes
First seen:	2022-08-31 02:53:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	173abfa8f7d7adac2a90a2e42625b7d9 (27 x Simda, 6 x GuLoader)
ssdeep	49152:smV2ApPmV2ApPmV2Ap/mV2ApPmV2ApPmV2Ap8:smDmDm7mDmDmQ
TLSH	T19DA58E21F1C0807AE4F5157096FF7A5B246CA9B6472838D7E7986EC928741F27A3C2C7
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	OSimao
Tags:	exe Simda

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306511/

Detection(s):

Win.Trojan.Shiz-9885535-0

Win.Trojan.Shiz-9949267-0

ditekSHen.MALWARE.Win.Ransomware.KillMBR.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.StrongPity.UNOFFICIAL

Win.Trojan.Generic-6323528-0

Win.Trojan.7348569-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Сreating synchronization primitives

Creating a process from a recently created file

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Sending a custom TCP request

Searching for the anti-virus window

Moving of the original file

Query of malicious DNS domain

Enabling autorun

Sending an HTTP GET request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

75%

Tags:

anti-debug anti-vm cmd.exe evasive explorer.exe greyware hacktool keylogger overlay packed shell32.dll shifu shiz spyeye

Link:

https://www.filescan.io/uploads/630ecd9ae87b88e71be6b31c/reports/d8cff89d-387c-4e42-ab03-f59cbdacba5d/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Simda Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061128

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c/

Threat name:

Win32.Trojan.Simda

Status:

Malicious

First seen:

2020-11-06 02:39:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 41 (82.93%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=scrd74ym6qg36gaofsuygyf3z3fpdjzw665rddx6p677fw35zawa._file

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/220831-ddx3asfhap/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Modifies WinLogon

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c

MD5 hash:

e4311ab08f705b3b150e1be181c9e260

SHA1 hash:

3c8cdf195e5d2ff97524c60edbcf7c1f4c58a87f

Detections:

win_simda_g0

win_simda_g1

Link:

https://www.unpac.me/results/007c07c9-2c18-4279-a33b-957ed33e663f/

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/90a23ff30cf4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/306511/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample