MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Fesber


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8
SHA3-384 hash: 649470f7c5c1c2ffa147897c861ae9ed3daa19ad4b08e416c262a91d3150958b1caa88ae51ac874417f5389eab152be1
SHA1 hash: 4c46276b553cc3f2a354318723070b08e1daf51e
MD5 hash: b4370865115a6684335fa944da264f40
humanhash: fix-nevada-johnny-kansas
File name:a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8
Download: download sample
Signature Worm.Fesber
Create hunting rule
File size:4'904'512 bytes
First seen:2022-05-03 03:20:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bbe5d518e2c84069c99198902ad5b29 (3 x Worm.Fesber)
ssdeep 98304:WbNpKHKplQCEcLjGCur9FM5rHbdt8XbHYPG4Dtjh:WRpKHKplRnLjGuVt8rUN
TLSH T16036AE12F6809073C55202319A5FB366B67DAF351A26918BE7987F1D7EB02C2EB1D313
TrID 58.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
12.7% (.EXE) InstallShield setup (43053/19/16)
8.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
7.8% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter Lan73722735
Tags:exe Worm.Fesber

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8
Verdict:
Malicious activity
Analysis date:
2022-05-03 03:22:39 UTC
Tags:
installer
Link:
https://app.any.run/tasks/974a15ca-dbd1-4ef7-8ab4-058183b87c01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268300/
Detection(s):
Win.Worm.Fesber-9939367-0
Create hunting rule

Win.Worm.Fesber-9939497-0
Create hunting rule

Win.Worm.Fesber-6747722-0
Create hunting rule

Win.Worm.Fesber-7
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a file
Modifying an executable file
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Enabling autorun
Infecting executable files
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16135/overview
Behaviour
MalwareBazaar
CallSleep
SystemUptime
EvasionGetTickCount
GetTempPath
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm bladabindi control.exe evasive explorer.exe fingerprint greyware njrat overlay packed replace.exe setupapi.dll shell32.dll update.exe virus
Link:
https://www.filescan.io/uploads/62709fa10d3e2bd52d230b22/reports/54689130-de20-41b4-91e5-ddcef71e460b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/558b26b3-1576-4791-b117-f39476546557
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/986861
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8/
Threat name:
Win32.Worm.Fesber
Create hunting rule
Status:
Malicious
First seen:
2022-04-09 22:37:06 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vecvehtyrpoymj5sxppr5qz7rfjp2cje6byyb2fyxzxtdgvf4dua._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220503-dwbl1sbgap/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
6b59dac5aa33d83ee4b566e61a11f66dd552120ff395ca441cab6eabd7e7de52
MD5 hash:
86195f62cef559000dfe7f03f74b7d6d
SHA1 hash:
69a3473087eecb1db8d0b124faad4a72e39f8b58
Link:
https://www.unpac.me/results/f428a93e-dd83-4876-8487-88298780b14c/
SH256 hash:
a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8
MD5 hash:
b4370865115a6684335fa944da264f40
SHA1 hash:
4c46276b553cc3f2a354318723070b08e1daf51e
Link:
https://www.unpac.me/results/f428a93e-dd83-4876-8487-88298780b14c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a905521e788bdd8627b2bbdf1ec33f8952fd0924f07180e8b8be6f319aa5e0e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268300/

Comments