MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d
SHA3-384 hash: 2e51213354981aa14a1e9213a8ce875c09a144e66f4f4bf774ffbb4b7c568e9bb071bbd0fd4a977913363d90d3b0acc2
SHA1 hash: 31ca7bc6096b625a130aeb7f21b8999457438155
MD5 hash: dc67525c91d2e2c48c52f18915fbe3fd
humanhash: coffee-don-berlin-virginia
File name:250428-ft4acswjs2.bin
Download: download sample
File size:65'536 bytes
First seen:2025-04-28 05:18:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0861ce3ea043a870152f8d52e10a118
ssdeep 1536:mewuJ+KdIcyd8UI993K/j49Xlf7etbT0:mpgBShqUI99aLSBatv0
TLSH T19E5302D3ABFC08E2F58256BDFAD23E24510EE652F5553A3192F9ADC14E0F22466F8470
TrID 34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter UNP4CK

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
250428-ft4acswjs2.bin
Verdict:
Malicious activity
Analysis date:
2025-04-28 05:42:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3ec2673-d426-4ebe-9740-4934b9e81fc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4617/
Detection(s):
SecuriteInfo.com.HTML-8314.UNOFFICIAL
Create hunting rule

Win.Trojan.Toopu-1
Create hunting rule

Win.Malware.Flymux-9945767-0
Create hunting rule

Win.Downloader.Flymux-10012416-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680f13fac8b2e86d0ac39865
Tags:
downloader dropper virus madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Modifying an executable file
Launching a process
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Changing the Windows explorer settings to hide files extension
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy masquerade microsoft_visual_cc packed packed packed packer_detected razy upx virtual
Link:
https://www.filescan.io/uploads/680f0fca218c4a98ade490a4/reports/97e32853-12fc-4466-a55e-1bcac9f75603/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51146831-3a9b-44dc-a793-e4caffc90ebb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675942
Signature
Antivirus / Scanner detection for submitted sample
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Queries disk data (e.g. SMART data)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Windows shortcut file (LNK) contains suspicious command line arguments
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675942 Sample: 250428-ft4acswjs2.bin.exe Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 63 www.wz157.cn 2->63 65 www.superqqface.com 2->65 67 9 other IPs or domains 2->67 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 2 other signatures 2->89 12 250428-ft4acswjs2.bin.exe 20 6 2->12         started        16 msedge.exe 2->16         started        signatures3 process4 dnsIp5 53 C:\Windows\SysWOW64\tata_1.dll, PE32 12->53 dropped 55 C:\Windows\SysWOW64\qaxlc.dll, PE32 12->55 dropped 57 C:\Windows\SysWOW64\qaxl8.dll, PE32 12->57 dropped 59 C:\Windows\SysWOW64\Dofake.exe, PE32 12->59 dropped 103 Drops executables to the windows directory (C:\Windows) and starts them 12->103 19 rundll32.exe 16 12->19         started        24 Dofake.exe 12->24         started        26 cmd.exe 2 12->26         started        34 2 other processes 12->34 61 239.255.255.250 unknown Reserved 16->61 28 msedge.exe 16->28         started        30 msedge.exe 16->30         started        32 msedge.exe 16->32         started        file6 signatures7 process8 dnsIp9 69 www.wz157.cn 172.232.112.221, 49681, 50261, 51627 AKAMAI-ASN1EU United States 19->69 51 C:\Windows\SysWOW64\FloodCore.dll, PE32 19->51 dropped 91 System process connects to network (likely due to code injection or exploit) 19->91 93 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 19->93 95 Contains functionality to access PhysicalDrive, possible boot sector overwrite 19->95 101 5 other signatures 19->101 36 iexplore.exe 73 100 19->36         started        97 Multi AV Scanner detection for dropped file 24->97 99 Changes the view of files in windows explorer (hidden files and folders) 24->99 38 conhost.exe 26->38         started        71 googlehosted.l.googleusercontent.com 192.178.49.161, 443, 49703 GOOGLEUS United States 28->71 73 chrome.cloudflare-dns.com 172.64.41.3, 443, 49748, 49749 CLOUDFLARENETUS United States 28->73 75 3 other IPs or domains 28->75 file10 signatures11 process12 process13 40 iexplore.exe 36->40         started        dnsIp14 77 www.fydownload.com 103.224.182.208, 49684, 49685, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 40->77 79 euob.astarsbuilding.com 18.164.154.118, 443, 49724, 49725 MIT-GATEWAYSUS United States 40->79 81 3 other IPs or domains 40->81 43 ie_to_edge_stub.exe 40->43         started        45 ssvagent.exe 40->45         started        process15 process16 47 msedge.exe 43->47         started        process17 49 msedge.exe 47->49         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d/
Threat name:
Win32.Infostealer.Gampass
Create hunting rule
Status:
Malicious
First seen:
2011-05-30 14:36:00 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdc5j72z2i4vga2nwuhdwasgxzuw25t4zxiolyuz5bqx3e5ve2oq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware bootkit defense_evasion discovery persistence stealer upx
Link:
https://tria.ge/reports/250428-fzx1jatsgv/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in System32 directory
UPX packed file
Enumerates connected drives
Installs/modifies Browser Helper Object
Writes to the Master Boot Record (MBR)
Executes dropped EXE
Loads dropped DLL
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Trojan.Toopu-1
YARA:
n/a
Link:
https://app.threat.zone/submission/1148a937-2c5a-43d5-a0a1-2e28e151120c
Unpacked files
SH256 hash:
28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d
MD5 hash:
dc67525c91d2e2c48c52f18915fbe3fd
SHA1 hash:
31ca7bc6096b625a130aeb7f21b8999457438155
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
f305f5707caf26cb73b2bc3fbcc13959ff564c5b70b5c4ca3bc187f680886dcd
MD5 hash:
fd3e7c316a70ae95521cd8964af182d7
SHA1 hash:
db3e2c1a0e22481ab27869c8582b1de61ceb2bad
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
973bc9175071f4589aa7faad72dd8a0975f2941868fd7414ae061379e9163606
MD5 hash:
7596e7675341e462c54ef0710a1ace3d
SHA1 hash:
1ef6adde47db4d2c12679bd4c093c93939d9652a
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
2b1f3dddc7f9cfbbc14a09f8a1f44df894ff1a4e9629bac0903dca4fd6dbe752
MD5 hash:
3c7b79c47784aa6ed209ea7bce8a4f5a
SHA1 hash:
49f622d718649db5caddc0b514905700065024e0
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
64d2b3195551632d40c0031e07d69839080d39ff704892df2b410b0a816d30fa
MD5 hash:
e3f3e0bb5ceb794d6e4e0b3419f8bfcf
SHA1 hash:
571fdcd46f51d47113730b4659e85bcfa05fbf98
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
81eadfc3f994d0b8f70e42b6a3781443c859e2adb4d48028dcd9f5da5ea92d55
MD5 hash:
cef0f2ed377db5c95b786689af0641fe
SHA1 hash:
7d3a4d37739abc904a51f01e3f8987e9c0dc473b
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
SH256 hash:
039831d04b06227866522d9d06558bc372a1ab70ad9f71a167a169abca77b66c
MD5 hash:
530aa3d4beb6df309f4bcb415f21f665
SHA1 hash:
e905b77b661213a11af3d33329ea2dc31ff62636
Link:
https://www.unpac.me/results/fcda2414-1cc6-4c25-af74-c9f8af467c6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28c5d4ff59d23953034db50e3b0246be696d767ccdd0e5e299e8617d93b5269d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4617/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments