MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SimpleHelp


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee
SHA3-384 hash: a625aa673fa75c664ea624e4edc193abe2f47a00dccb4f357f318d88b39fff3593b62ed5073d5a2155df26bd9f7d4b95
SHA1 hash: 4f821aa92192ee4347793377540d6387ed39bcb2
MD5 hash: bf7419f94145568e17677e9c8da0e2cb
humanhash: north-table-comet-friend
File name:file
Download: download sample
Signature SimpleHelp
Create hunting rule
File size:40'678'128 bytes
First seen:2026-02-14 22:08:39 UTC
Last seen:2026-02-14 22:10:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da7539752d4292fc084c7d813366cc8b (34 x SimpleHelp)
ssdeep 786432:8tGOTXLwnQ6t21uSmtrYCViSVVOd/OdBt9D7aR65lIBE7ZVWhro/fraaXCI:8T7gvFLiSVVO6l7M8aE1VWhroHF9
TLSH T1F7973324FA9259BDDE2399BCD85A8087FB59EDD30389211727F049D78E202C0952EF7D
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 SimpleHelp


Avatar
Bitsight
url: http://130.12.180.43/files/hil/random.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
210
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-14 22:12:02 UTC
Tags:
simplehelp rmm-tool antivm
Link:
https://app.any.run/tasks/58d02ca5-8a4f-4f9f-b7ae-462d2bdda9a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6990f29b2715406c64798e00
Tags:
dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Connection attempt
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Moving a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a service
Launching a service
Searching for synchronization primitives
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Launching the process to change network settings
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee
Verdict:
Adware
File Type:
exe x64
Detections:
not-a-virus:HEUR:RemoteAdmin.Win64.Remsim.gen not-a-virus:HEUR:RemoteAdmin.Win64.Convagent.gen
Link:
https://opentip.kaspersky.com/a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee/results?tab=lookup
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee
Gathering data
Verdict:
Malicious
Threat:
Family.SIMPLEHELP
Link:
https://tip.neiki.dev/file/a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-02-14 22:10:29 UTC
AV detection:
5 of 32 (15.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6n6bsox7r4nq2p5htmfrxeqxrkezaolu5fstpfumhnywmww37xa._file
Verdict:
malicious
Label(s):
admintool_simplehelp
Create hunting rule
Similar samples:
error
SimpleHelp
Result
Malware family:
n/a
Score:
  10/10
Tags:
backdoor defense_evasion discovery persistence privilege_escalation ransomware rat trojan
Link:
https://tria.ge/reports/260214-12y1tsaw8d/
Behaviour
Gathers network information
Gathers system information
Modifies Control Panel
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Sets desktop wallpaper using registry
Modifies Windows Firewall
Network Share Discovery
Modifies file permissions
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PeddleCheap
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AlternativesExample1
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SimpleHelp

Executable exe a79be0c9d7fc78d869fd3cd858dc90bc544c81cba74b29bcb461db8b32d6dfee

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3778005/

Comments