MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Win.Worm.Fasong-5


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7
SHA3-384 hash: d78f92cb8ea38779c47b18d52360d7b3ed32af06ca10155b536b93a60cd23a55a014e27a1137d12a1e7e176e1a476973
SHA1 hash: 81b94cf94f7f340942dc6f2565cc7d4f72ab38fb
MD5 hash: 603a2d0d7c84db1fec48f42cdf2c65a6
humanhash: single-sodium-chicken-magazine
File name:Trojan.Autorun.ATA_virussign.com_603a2d0d7c84db1fec48f42cdf2c65a6
Download: download sample
Signature Win.Worm.Fasong-5
Create hunting rule
File size:401'331 bytes
First seen:2023-09-08 15:05:03 UTC
Last seen:2023-09-08 15:16:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a40b556f04c6c6d3d61394c56be6bd5 (3 x Win.Worm.Fasong-5)
ssdeep 6144:9bpGtfoVtScw2RCgrzItQB2bpGtfoVtScw:TGtAtScw3qEKBYGtAtScw
Threatray 9 similar samples on MalwareBazaar
TLSH T1DA841240AB79DCE2F8510FF15B272B69079CC2D87EAC86309516EA37367E130DDA351A
TrID 32.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
32.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Turkeytmfounder
Tags:exe Win.Worm.Fasong-5

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trojan.Autorun.ATA_virussign.com_603a2d0d7c84db1fec48f42cdf2c65a6
Verdict:
No threats detected
Analysis date:
2023-09-08 15:06:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed11fb07-04b4-4aa4-8bc6-e27fe3e39716

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447465/
Detection(s):
PUA.Win.Packer.UpxProtector-1
Create hunting rule

Win.Worm.Fasong-9908424-0
Create hunting rule

Win.Worm.Fasong-9753929-0
Create hunting rule

Win.Worm.Fasong-9753931-0
Create hunting rule

Win.Worm.Fasong-9753932-0
Create hunting rule

Win.Worm.Fasong-9806395-0
Create hunting rule

Win.Malware.Fasong-9910797-0
Create hunting rule

Win.Malware.Fasong-9918317-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a service
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bad6ce1b-ec71-46cb-bead-b29d50bbc835
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306259
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates files in the recycle bin to hide itself
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets file extension default program settings to executables
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306259 Sample: 8z1pdoPLxA.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 48 Antivirus detection for URL or domain 2->48 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 3 other signatures 2->54 7 8z1pdoPLxA.exe 4 10 2->7         started        11 ANFJJWS.EXE 1 2->11         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 dnsIp4 38 C:\Users\YLBEJQL.EXE, PE32 7->38 dropped 40 C:\Users\SVAOUHK.EXE, PE32 7->40 dropped 42 C:\ProgramData\VIJXIW.EXE, PE32 7->42 dropped 44 6 other malicious files 7->44 dropped 62 Creates files in the recycle bin to hide itself 7->62 64 Sets file extension default program settings to executables 7->64 18 DRXU.EXE 1 7->18         started        66 Antivirus detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 22 RCOH.EXE 1 4 11->22         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 13->70 24 MpCmdRun.exe 1 13->24         started        46 127.0.0.1 unknown unknown 15->46 72 Query firmware table information (likely to detect VMs) 15->72 file5 signatures6 process7 file8 28 C:\Users\ANFJJWS.EXE, PE32 18->28 dropped 56 Antivirus detection for dropped file 18->56 58 Creates an undocumented autostart registry key 18->58 60 Machine Learning detection for dropped file 18->60 30 C:\ProgramData\WILRW.EXE, PE32 22->30 dropped 32 C:\ProgramData\WGVEAB.EXE, PE32 22->32 dropped 34 C:\ProgramData\PVAOC.EXE, PE32 22->34 dropped 36 C:\ProgramDataOAIDR.EXE, PE32 22->36 dropped 26 conhost.exe 24->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7/
Threat name:
Win32.Worm.Fasong
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 07:35:37 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7iwcjcuzy32rxzmclx5wj7b3zd7bb4xoxflhdi5j35t2mn2s33q._file
Verdict:
malicious
Similar samples:
4d8febcf12d4e13f59f16516af3576201775f352b69e943223f10fffbe535306
Win.Worm.Fasong-5
4ec636f652e10542f38b9c8efc970644a70927ccdad06b5d4e307130da9edd03
Win.Worm.Fasong-5
607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
Win.Worm.Fasong-5
744d7fc9796a48f7d5b1173b91d1b018f13f91db7798a3d9cfd27fb22d678898
Win.Worm.Fasong-5
7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
Win.Worm.Fasong-5
c9102acb6323c4f24b56ec7e32878b6865ba5b26b816d8febdf4b31eac5506f3
Win.Worm.Fasong-5
cd6e282159e4117dca53cf28d0c314364a2c739bd0c32173737ffb565e981bc3
Win.Worm.Fasong-5
cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b
Win.Worm.Fasong-5
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
Win.Worm.Fasong-5
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence upx
Link:
https://tria.ge/reports/230908-sf73lsch26/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
UPX packed file
Unpacked files
SH256 hash:
0c6c575fb419352b457857145e19b395019d0bb8caa9325eb10cb46255375ebc
MD5 hash:
b8facf87883f32b1b2f7769b21cc1730
SHA1 hash:
d4a3a35006779528f1e80457fa2e1d6169f0ffd3
Link:
https://www.unpac.me/results/b8fa6a52-eece-4901-a41a-9a8cde712210/
SH256 hash:
57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7
MD5 hash:
603a2d0d7c84db1fec48f42cdf2c65a6
SHA1 hash:
81b94cf94f7f340942dc6f2565cc7d4f72ab38fb
Link:
https://www.unpac.me/results/b8fa6a52-eece-4901-a41a-9a8cde712210/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57d1612454ce37a8df2c12efdb27e1de47f0879775cab38d1d4efb3d31ba96f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447465/

Comments