MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Win.Worm.Fasong-5

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b
SHA3-384 hash:	0b251bb5464bbb1d987eb03dc30ff16a96947303ef252388d777b4cf864918a14c5a852c7ce2ae5e628d28c799ae3bb8
SHA1 hash:	4ef67ab50ac8a73e5324c6acb40151df8b83b757
MD5 hash:	0a2744f97b0fe32b0a3c4310c1d5fec4
humanhash:	xray-finch-orange-oscar
File name:	Trojan.Autorun.ATA_virussign.com_0a2744f97b0fe32b0a3c4310c1d5fec4
Download:	download sample
Signature	Win.Worm.Fasong-5 Create hunting rule
File size:	400'379 bytes
First seen:	2023-09-07 11:03:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9a40b556f04c6c6d3d61394c56be6bd5 (3 x Win.Worm.Fasong-5)
ssdeep	6144:9bpGtfoVtScw2RCgrzItQB2bpGtfoVtScw:TGtAtScw3qEKBYGtAtScw
Threatray	6 similar samples on MalwareBazaar
TLSH	T1CB841240AB79DCE2F8510FF15B272B69079CC2D87EAC86309516EA37367E130DDA351A
TrID	32.6% (.EXE) UPX compressed Win32 Executable (27066/9/6) 32.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 12.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Turkeytmfounder
Tags:	exe Win.Worm.Fasong-5

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Trojan.Autorun.ATA_virussign.com_0a2744f97b0fe32b0a3c4310c1d5fec4

Verdict:

No threats detected

Analysis date:

2023-09-07 11:04:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/26594e41-229c-4021-9b6c-a23f0b1a83cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/447061/

Detection(s):

PUA.Win.Packer.UpxProtector-1

Win.Worm.Fasong-9908424-0

Win.Worm.Fasong-9753929-0

Win.Worm.Fasong-9753931-0

Win.Worm.Fasong-9753932-0

Win.Worm.Fasong-9806395-0

Win.Malware.Fasong-9910797-0

Win.Malware.Fasong-9918317-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a file in the Program Files subdirectories

Creating a service

Creating a file in the Program Files directory

Creating a file in the Windows directory

Enabling the 'hidden' option for recently created files

Enabling autorun for a service

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed scar

Link:

https://www.filescan.io/uploads/64f9ae2526412fcb9d99b226/reports/b4646c65-9a8a-45eb-a507-d1fe8872d41a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/52225d32-27e4-4ca1-8be8-77b1cb69ea7b

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1305669

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sets file extension default program settings to executables

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b/

Threat name:

Win32.Worm.Fasong

Status:

Malicious

First seen:

2023-06-28 06:43:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 38 (94.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zx7nwunsowprv74piueh25ee6xt7yr4ny6dj7ksfos5xmddwwwnq._file

Verdict:

malicious

Win.Worm.Fasong-5

4ec636f652e10542f38b9c8efc970644a70927ccdad06b5d4e307130da9edd03

Win.Worm.Fasong-5

744d7fc9796a48f7d5b1173b91d1b018f13f91db7798a3d9cfd27fb22d678898

Win.Worm.Fasong-5

c9102acb6323c4f24b56ec7e32878b6865ba5b26b816d8febdf4b31eac5506f3

Win.Worm.Fasong-5

cd6e282159e4117dca53cf28d0c314364a2c739bd0c32173737ffb565e981bc3

Win.Worm.Fasong-5

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248

Win.Worm.Fasong-5

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence upx

Link:

https://tria.ge/reports/230907-m59pvagh71/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

UPX packed file

Unpacked files

SH256 hash:

0c6c575fb419352b457857145e19b395019d0bb8caa9325eb10cb46255375ebc

MD5 hash:

b8facf87883f32b1b2f7769b21cc1730

SHA1 hash:

d4a3a35006779528f1e80457fa2e1d6169f0ffd3

Link:

https://www.unpac.me/results/207ccc3b-51ca-4267-be30-0b3b162f5301/

SH256 hash:

cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b

MD5 hash:

0a2744f97b0fe32b0a3c4310c1d5fec4

SHA1 hash:

4ef67ab50ac8a73e5324c6acb40151df8b83b757

Link:

https://www.unpac.me/results/207ccc3b-51ca-4267-be30-0b3b162f5301/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdfedb51b2759f1aff8f45087d7484f5e7fc478dc7869faa4574bb760c76b59b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	UPXProtectorv10x2 Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/447061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample