General

  • Target

    7495e6ddc3b7605b6d3e36f548fde328c8ae263bd785fdf81236fdfa3a959944N

  • Size

    257KB

  • Sample

    240919-cvw1wswdqp

  • MD5

    e32e2413b63c9b82db020bce0e46f4e0

  • SHA1

    6abb50285ce37f948cc0b4267770fc98938a737c

  • SHA256

    7495e6ddc3b7605b6d3e36f548fde328c8ae263bd785fdf81236fdfa3a959944

  • SHA512

    269ef3bd5d8cb19d3f398427c0025a57fd43b3cf6741dc0efa29a89bac67abf2b9688b49315c4f39dd1b242db65428bb75d9f5e9ac102d1a51cc7b25229ebb12

  • SSDEEP

    3072:IicFgFSqXNa0s3o2MV2SwcfjUGkmj1AWFhGIhtrJG+2ozcQU8gh1yhw7yds5VLGM:VXNNSo2EscAxmpDGIhtrTpUpH15WJS3

Malware Config

Extracted

Family

simda

Attributes
  • dga

    cihunemyror.eu

    digivehusyd.eu

    vofozymufok.eu

    fodakyhijyv.eu

    nopegymozow.eu

    gatedyhavyd.eu

    marytymenok.eu

    jewuqyjywyv.eu

    qeqinuqypoq.eu

    kemocujufys.eu

    rynazuqihoj.eu

    lyvejujolec.eu

    tucyguqaciq.eu

    xuxusujenes.eu

    puzutuqeqij.eu

    ciliqikytec.eu

    dikoniwudim.eu

    vojacikigep.eu

    fogeliwokih.eu

    nofyjikoxex.eu

    gadufiwabim.eu

    masisokemep.eu

    jepororyrih.eu

    qetoqolusex.eu

    keraborigin.eu

    ryqecolijet.eu

    lymylorozig.eu

    tunujolavez.eu

    xubifaremin.eu

    puvopalywet.eu

Targets

    • Target

      7495e6ddc3b7605b6d3e36f548fde328c8ae263bd785fdf81236fdfa3a959944N

    • Size

      257KB

    • MD5

      e32e2413b63c9b82db020bce0e46f4e0

    • SHA1

      6abb50285ce37f948cc0b4267770fc98938a737c

    • SHA256

      7495e6ddc3b7605b6d3e36f548fde328c8ae263bd785fdf81236fdfa3a959944

    • SHA512

      269ef3bd5d8cb19d3f398427c0025a57fd43b3cf6741dc0efa29a89bac67abf2b9688b49315c4f39dd1b242db65428bb75d9f5e9ac102d1a51cc7b25229ebb12

    • SSDEEP

      3072:IicFgFSqXNa0s3o2MV2SwcfjUGkmj1AWFhGIhtrJG+2ozcQU8gh1yhw7yds5VLGM:VXNNSo2EscAxmpDGIhtrTpUpH15WJS3

    • Modifies WinLogon for persistence

    • simda

      Simda is an infostealer written in C++.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Modifies WinLogon

MITRE ATT&CK Enterprise v15

Tasks