MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
SHA3-384 hash: eff83d355c27e6babb5c8d422548c21da44a64d3064f5fd095bec4989208e7c4ac2fc1074ef10b6258c0eda7a0616318
SHA1 hash: 7bf514465739d054d327c69c6d43913be4ba705e
MD5 hash: 23a42335870bcb3992443a2f32c2dbb0
humanhash: beryllium-edward-nevada-eight
File name:Trojan.Autorun.ATA_virussign.com_23a42335870bcb3992443a2f32c2dbb0
Download: download sample
File size:499'990 bytes
First seen:2023-09-08 15:06:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 143ce2a6a5d4393bd4c950cf26bac42a
ssdeep 6144:XdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqB:N8kxNhOZElO5kkWjhD4AN
Threatray 3 similar samples on MalwareBazaar
TLSH T183B48D2AF7C08837D2631A78CD5B8668EC26BE503E2965463FF81D4C4F7938179263D6
TrID 88.8% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
2.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.5% (.SCR) Windows screen saver (13097/50/3)
1.9% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
1.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon 6024c4c4f4f4f1b0
Reporter Turkeytmfounder
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trojan.Autorun.ATA_virussign.com_23a42335870bcb3992443a2f32c2dbb0
Verdict:
No threats detected
Analysis date:
2023-09-08 15:06:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b95e2c7-5878-4476-8a23-06f8d99a02bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447469/
Detection(s):
PUA.Win.Packer.BorlandDelphi-5
Create hunting rule

PUA.Win.Packer.BorlandDelphi-6
Create hunting rule

Win.Worm.Fasong-2
Create hunting rule

Win.Worm.Fasong-9753929-0
Create hunting rule

Win.Worm.Fasong-9753931-0
Create hunting rule

Win.Worm.Fasong-9753932-0
Create hunting rule

Win.Worm.Fasong-9806395-0
Create hunting rule

Win.Malware.Fasong-9910797-0
Create hunting rule

Win.Malware.Fasong-9918317-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a service
Creating a file in the Program Files directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Fasong Worm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/523d61cc-f429-4532-a3c8-44e92cec614f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1306263
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets file extension default program settings to executables
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306263 Sample: 21Hmytges0.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 96 34 Antivirus detection for URL or domain 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 3 other signatures 2->40 7 21Hmytges0.exe 2 9 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 3 2->13         started        15 6 other processes 2->15 process3 dnsIp4 24 C:\Users\DAWJCQO.EXE, PE32 7->24 dropped 26 C:\Program Files\WQJM.EXE, PE32 7->26 dropped 28 C:\Program Files\DEUP.EXE, PE32 7->28 dropped 30 5 other malicious files 7->30 dropped 42 Creates an undocumented autostart registry key 7->42 44 Sets file extension default program settings to executables 7->44 18 TOZYY.EXE 7->18         started        46 Changes security center settings (notifications, updates, antivirus, firewall) 11->46 20 MpCmdRun.exe 1 11->20         started        48 Query firmware table information (likely to detect VMs) 13->48 32 127.0.0.1 unknown unknown 15->32 file5 signatures6 process7 process8 22 conhost.exe 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508/
Threat name:
Win32.Worm.Fasong
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 08:24:39 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pykoviao6gxgj67rol4swqfqmav6bi2sywjtzsu22a5bgm3gauea._file
Verdict:
malicious
Similar samples:
4ec636f652e10542f38b9c8efc970644a70927ccdad06b5d4e307130da9edd03
607a094b7bfa7f9a775cdd2685a6404ed225914b10086e5797ee5b2980967bbb
cd6e282159e4117dca53cf28d0c314364a2c739bd0c32173737ffb565e981bc3
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230908-shavwsch3w/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508
MD5 hash:
23a42335870bcb3992443a2f32c2dbb0
SHA1 hash:
7bf514465739d054d327c69c6d43913be4ba705e
Link:
https://www.unpac.me/results/4d8e5b25-36f6-4a43-8fc6-56f56e6e9910/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e14eaa00ef1ae64fbf172f92b40b0602be0a352c5933cca9ad03a1333660508

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447469/

Comments