foresttiger | simp[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

simp.exe
Size

305KB
MD5

9c860ec31e77c73805372299e36e4473
SHA1

8091296e2a426b1bc8f1f5d1212f9076fd3744fd
SHA256

e06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795
SHA512

384fe882ad00e7c0ecce4fb0e118f5c160d26d2f5e00d8e0fba3d4b24fa409bf8621d025fe4115513ef28b20a91a482332f7671f2bc25ec89fa79335f1357a00
SSDEEP

6144:/AQzYpmVm8bNveuTZBYO3qByXxw9R+KgpQ://zqmV3x7Xx6+Kg

Score

10^/10

backdoor foresttiger

Malware Config

Signatures

Detect ForestTiger backdoor 1 IoCs

backdoor

resource	yara_rule
sample	family_foresttiger

Foresttiger family
foresttiger

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
simp.exe

Files

simp.exe
.exe windows:5 windows x64 arch:x64

eadc09db9b9d663ad0b1722badb92359

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateFileW
CloseHandle
LocalFree
DosDateTimeToFileTime
SetFilePointer
SystemTimeToFileTime
GetCurrentProcess
CreateDirectoryW
WideCharToMultiByte
MultiByteToWideChar
GetCurrentDirectoryW
GetFileType
DuplicateHandle
FileTimeToDosDateTime
FindFirstFileW
MapViewOfFile
UnmapViewOfFile
FileTimeToSystemTime
GetLastError
FindClose
GetLocalTime
CreateFileMappingW
FindNextFileW
GetFileInformationByHandle
GetSystemTime
GetCommandLineW
PeekNamedPipe
SetErrorMode
ReadFile
SystemTimeToTzSpecificLocalTime
HeapAlloc
UpdateProcThreadAttribute
HeapFree
WaitForSingleObject
FindFirstFileExW
OutputDebugStringW
GetModuleHandleW
GetTickCount
GetProcessHeap
OpenProcess
Sleep
CopyFileW
FormatMessageW
GetFileAttributesW
TerminateProcess
GetModuleFileNameW
GetTempPathW
RemoveDirectoryW
CreatePipe
GetOEMCP
InitializeProcThreadAttributeList
DeleteFileW
GetCurrentProcessId
GetTickCount64
CreateThread
InitializeCriticalSection
WriteFile
GetFileSize
GetProcAddress
LocalAlloc
IsBadReadPtr
GetModuleHandleA
LoadLibraryA
CreateProcessW
SetEnvironmentVariableA
CompareStringW
WriteConsoleW
SetStdHandle
HeapReAlloc
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
SetFileAttributesW
GetSystemTimeAsFileTime
GetCommandLineA
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
RtlUnwindEx
GetCPInfo
GetACP
IsValidCodePage
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
GetStringTypeW
HeapSize
ExitProcess
RaiseException
RtlPcToFileHeader
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetConsoleCP
GetConsoleMode
FlushFileBuffers
GetTimeZoneInformation
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
LCMapStringW
GetUserDefaultLCID
GetLocaleInfoW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
LoadLibraryW

user32

CharLowerW

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken

ole32

CoInitializeSecurity
CoInitializeEx

Sections

.text
Size: 213KB - Virtual size: 212KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eadc09db9b9d663ad0b1722badb92359

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

Sections

.text Size: 213KB - Virtual size: 212KB

.rdata Size: 53KB - Virtual size: 53KB

.data Size: 26KB - Virtual size: 50KB

.pdata Size: 9KB - Virtual size: 8KB

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 213KB - Virtual size: 212KB

.rdata
Size: 53KB - Virtual size: 53KB

.data
Size: 26KB - Virtual size: 50KB

.pdata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 2KB - Virtual size: 2KB