MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SimpleHelp


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388
SHA3-384 hash: c9b7aabcd9ec1b2211829bb21e09135bc1192ff26ad558cfe01b553849751ad1ebaf0020813fb304d5a9e53117373465
SHA1 hash: b0f97074570e389abec7b6e2958a7eafddd95970
MD5 hash: fb6eacf544740ee359cb647e62cc4842
humanhash: sink-social-sink-cardinal
File name:doc389l47.scr
Download: download sample
Signature SimpleHelp
Create hunting rule
File size:38'833'672 bytes
First seen:2026-02-25 11:03:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da7539752d4292fc084c7d813366cc8b (44 x SimpleHelp)
ssdeep 786432:/rKU6DT0ucbTbMv22zAeV/X+0tdshTc3XyPteDeCOdeuKF1bV:/uRf+nAu2FuQd73XyFeDMnKTV
TLSH T13987331AF39599FBDE33D0FCC0854447EA9678E54381422717F085EA4E606E98A2FF6C
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter juroots
Tags:exe scr signed SimpleHelp

Code Signing Certificate

Organisation:SimpleHelp Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-18T00:00:00Z
Valid to:2027-03-19T23:59:59Z
Serial number: 02cfb51c29be655fb49ca39771c2be71
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8e186606242b40e76a7cc652fc04d49291b68091feb74e921c634c68d636c61c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
GB GB
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
doc389l47.scr
Verdict:
Malicious activity
Analysis date:
2026-01-29 08:05:34 UTC
Tags:
simplehelp rmm-tool antivm
Link:
https://app.any.run/tasks/2ad9ec00-5b91-4bb7-82d6-907cc209338a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699ed74d8fffa866e3b1fabe
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Connection attempt
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Moving a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388
Verdict:
Adware
File Type:
exe x64
First seen:
2026-01-28T10:05:00Z UTC
Last seen:
2026-02-13T08:39:00Z UTC
Hits:
~100
Detections:
not-a-virus:HEUR:RemoteAdmin.Win64.Remsim.gen not-a-virus:HEUR:RemoteAdmin.Win64.Convagent.gen
Link:
https://opentip.kaspersky.com/e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388/results?tab=lookup
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388
Gathering data
Verdict:
Malicious
Threat:
Family.SIMPLEHELP
Link:
https://tip.neiki.dev/file/e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388
Threat name:
Win64.Trojan.Supma
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 00:50:24 UTC
File Type:
PE+ (Exe)
Extracted files:
680
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fbryppozqjx2bgipmjqrihmfs436npn36dcy3gsa6yp4623coea._file
Verdict:
malicious
Label(s):
admintool_simplehelp
Create hunting rule
Similar samples:
error
SimpleHelp
Result
Malware family:
n/a
Score:
  7/10
Tags:
backdoor rat
Link:
https://tria.ge/reports/260225-m6dzkagt3g/
Behaviour
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SimpleHelp

Executable exe e9431c3deecc137d04c87b1308a0ec2cb9bf35eddf862c6cd207b0fe7b5b1388

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3785440/
  
Delivery method
Distributed via web download

Comments