Backdoor

Backdoor:Win32/Simbot (file analysis)

Malware Removal

The Backdoor:Win32/Simbot is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Backdoor:Win32/Simbot virus can do?

  • Sample contains Overlay data
  • HTTPS urls from behavior.
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • Attempts to modify proxy settings
  • Deletes executed files from disk

How to determine Backdoor:Win32/Simbot?



File Info:

name: 74EF456C447E05166E7C.mlw
path: /opt/CAPEv2/storage/binaries/258cccee86274e0f3d44508330afe74319073fd3257165f4998c77ce3c7fe6f0
crc32: FE21D79B
md5: 74ef456c447e05166e7c66314b68f658
sha1: 23eed0a4663edb914d66357eb6664ddb006cfff7
sha256: 258cccee86274e0f3d44508330afe74319073fd3257165f4998c77ce3c7fe6f0
sha512: 89d28bf64a770769efa31872e74dde9b6c277ec2f34ea89c68ca2872501f029c1006b014f5f1e8e97d7780740f04d14bdf923dcf2a26ae4ee8d304ffc1ad55a3
ssdeep: 384:rN3mWZ1t1CIymdffvSM5Pev7pDvrMB1P5byFdd78o8gh0TZIn:rNnntymdffp5u76B9t0dh8Hgh0tIn
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T127D2B0027BFA25BAE9FF9B305F3316B256B83C504F33CD2F0B532256055AD40A421A0A
sha3_384: 758026cfeb8b448bdbcaa06e49918c9d03c5de78c8f54290246359b453426910433be335c459d653f294d0f29c9e8635
ep_bytes: 558bec6aff6880204000685018400064
timestamp: 2012-02-10 01:33:04


Version Info:

CompanyName: Adobe Systems, Inc.
FileDescription: Adobe? Flash? Player10.1 r53
FileVersion: 10,1,53,64
InternalName: Adobe? Flash? Player 10.1
LegalCopyright: Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks: Adobe? Flash? Player
OriginalFilename: FlashUtil.exe
ProductName: Flash? Player
ProductVersion: 10,1,53,64
Translation: 0x0409 0x04b0

Backdoor:Win32/Simbot also known as:

LionicTrojan.Win32.Inject.4!c
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Trojan.ExplorerHijack.bq1@a4hn8ohb
FireEyeGeneric.mg.74ef456c447e0516
SkyhighBackDoor-FADY!74EF456C447E
ALYacGen:Trojan.ExplorerHijack.bq1@a4hn8ohb
VIPREGen:Trojan.ExplorerHijack.bq1@a4hn8ohb
SangforSuspicious.Win32.Save.ins
K7AntiVirusTrojan-Downloader ( 005324121 )
BitDefenderGen:Trojan.ExplorerHijack.bq1@a4hn8ohb
K7GWTrojan-Downloader ( 005324121 )
Cybereasonmalicious.4663ed
SymantecDownloader
ESET-NOD32a variant of Win32/Injector.PHK
APEXMalicious
ClamAVWin.Trojan.Injector-6297684-0
KasperskyTrojan.Win32.Miancha.gsf
AlibabaBackdoor:Win32/Miancha.efd551c5
NANO-AntivirusTrojan.Win32.Taidoor.dbybcs
RisingBackdoor.Simbot!8.11B (TFE:5:0DYCcJhIIJF)
F-SecureTrojan.TR/Crypt.ZPACK.Gen
DrWebTrojan.Taidoor
ZillyaTrojan.Inject.Win32.33736
TrendMicroBKDR_SIMBOT.SMD
Trapminemalicious.high.ml.score
EmsisoftGen:Trojan.ExplorerHijack.bq1@a4hn8ohb (B)
SentinelOneStatic AI – Malicious PE
MAXmalware (ai score=99)
JiangminTrojan/Inject.rlu
WebrootW32.Trojan.Gen
GoogleDetected
AviraTR/Crypt.ZPACK.Gen
VaristW32/A-5d8b9057!Eldorado
Antiy-AVLTrojan/Win32.AGeneric
KingsoftWin32.Trojan.Miancha.gsf
MicrosoftBackdoor:Win32/Simbot.gen
XcitiumMalware@#2uvi8b9jyqzc9
ArcabitTrojan.ExplorerHijack.EAACF7
ZoneAlarmTrojan.Win32.Miancha.gsf
GDataGen:Trojan.ExplorerHijack.bq1@a4hn8ohb
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Inject.R27517
BitDefenderThetaAI:Packer.7C9A6D481F
DeepInstinctMALICIOUS
VBA32SScope.Trojan.Winlock.2113
Cylanceunsafe
PandaTrj/Genetic.gen
TrendMicro-HouseCallBKDR_SIMBOT.SMD
TencentWin32.Trojan.Miancha.Htgl
YandexTrojan.GenAsa!ls5fRg8Ah4s
IkarusTrojan.Win32.Inject
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Injector.NIN!tr
AVGWin32:Downloader-SRV [Trj]
AvastWin32:Downloader-SRV [Trj]
CrowdStrikewin/malicious_confidence_100% (D)

How to remove Backdoor:Win32/Simbot?

Backdoor:Win32/Simbot removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment