MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
SHA3-384 hash: 91892db820a2c74b72433cf7d4f18db261605c9ce4802bfab7d092d16494100c352ca69fbd322941877d18f790169e3c
SHA1 hash: a799e488ccaf5d80b54a109b74b0a6c60f9a35a8
MD5 hash: 75d69fb9156ff5292b1fa859ad39a21c
humanhash: eighteen-yellow-aspen-texas
File name:Trojan.Autorun.ATA_virussign.com_75d69fb9156ff5292b1fa859ad39a21c
Download: download sample
File size:493'335 bytes
First seen:2023-09-08 15:12:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 143ce2a6a5d4393bd4c950cf26bac42a
ssdeep 6144:XdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqB:N8kxNhOZElO5kkWjhD4AN
Threatray 3 similar samples on MalwareBazaar
TLSH T11EA47D2AF7C08837D2631A38CD5B9668EC26BE503E2965463FF81D4C4F7938179263D6
TrID 88.8% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
2.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.5% (.SCR) Windows screen saver (13097/50/3)
1.9% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
1.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon 6024c4c4f4f4f1b0
Reporter Turkeytmfounder
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trojan.Autorun.ATA_virussign.com_75d69fb9156ff5292b1fa859ad39a21c
Verdict:
No threats detected
Analysis date:
2023-09-08 15:22:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70438a81-60a9-4ba8-86bc-902afa4ccd40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447491/
Detection(s):
PUA.Win.Packer.BorlandDelphi-5
Create hunting rule

PUA.Win.Packer.BorlandDelphi-6
Create hunting rule

Win.Worm.Fasong-2
Create hunting rule

Win.Worm.Fasong-9753929-0
Create hunting rule

Win.Worm.Fasong-9753931-0
Create hunting rule

Win.Worm.Fasong-9753932-0
Create hunting rule

Win.Worm.Fasong-9806395-0
Create hunting rule

Win.Malware.Fasong-9910797-0
Create hunting rule

Win.Malware.Fasong-9918317-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a file in the Program Files subdirectories
Creating a service
Creating a file in the Program Files directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control evasive greyware hh keylogger lolbin overlay phishing regedit remote scar
Link:
https://www.filescan.io/uploads/64fb39ffa2b9c745b28cea35/reports/bc207433-6bc4-4a2d-8570-b65ad48d9d4c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Fasong Worm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f44eb99-468b-4221-ac7a-b23dd66f66f8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306292
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets file extension default program settings to executables
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb/
Threat name:
Win32.Worm.Fasong
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 21:37:51 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mb5ass337j7zu5243utiljsaj3jcleklcaeg4v4x5znstaewpo5q._file
Verdict:
malicious
Similar samples:
4ec636f652e10542f38b9c8efc970644a70927ccdad06b5d4e307130da9edd03
7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
cd6e282159e4117dca53cf28d0c314364a2c739bd0c32173737ffb565e981bc3
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230908-slrmtach8z/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Unpacked files
SH256 hash:
607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
MD5 hash:
75d69fb9156ff5292b1fa859ad39a21c
SHA1 hash:
a799e488ccaf5d80b54a109b74b0a6c60f9a35a8
Link:
https://www.unpac.me/results/2945948c-55e4-4f76-a676-cd38bb73155d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447491/

Comments