MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fsysna


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1
SHA3-384 hash: 39c2c43c2ba4ddc428ed0663848e69639f36936b5e42f61b491ef45e4e31326b0ade037b31f81286f46ab1a9dd69b35a
SHA1 hash: 78a0f48e5573819b48faedf856c192f657e521dc
MD5 hash: 4ecc392d78b44320a9ba19b1495d5c52
humanhash: romeo-autumn-march-april
File name:data64_5.exe
Download: download sample
Signature Fsysna
Create hunting rule
File size:1'089'392 bytes
First seen:2022-02-24 07:06:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89eeb57b303a1231a34736aa642e325f (1 x Fsysna)
ssdeep 24576:vbWwZKBn/Tliaa4ns16xQ2D6W4kTSY2P7OZ0:v6LlxDvj6Pk+YIZ
Threatray 445 similar samples on MalwareBazaar
TLSH T1B135384127F961EAF5B2DF39653F411B8F327C2519B5850A5F20B93C0C74A478A3ABE2
File icon (PE):PE icon
dhash icon 304c4d4d4e8e3b4a (1 x Fsysna)
Reporter adm1n_usa32
Tags:eclipper exe


Avatar
adm1n_usa32
could be emotet? executes its payload after restart so hell if i know

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win_setup__621708b8b769c.exe
Verdict:
Malicious activity
Analysis date:
2022-02-24 04:34:29 UTC
Tags:
loader trojan rat redline evasion stealer opendir arkei vidar
Link:
https://app.any.run/tasks/ebe901ec-f4ec-4be2-b231-bbabb4cee1f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244079/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39058709.9260.26753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe fingerprint greyware overlay packed scriptrunner.exe shell32.dll
Link:
https://www.filescan.io/uploads/62172e9ea6f52d32f17e64c2/reports/8b183a05-bdca-471f-b1b1-eba403960f27/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
EClipper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab6169dd-8616-4329-9e35-1a1146c21e88
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/945410
Signature
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1/
Threat name:
Win32.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 17:11:09 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
Fsysna
0cba0f9dafbb15b07c0e8b87ccd3ea7c306198b67dd480c42aa822c0e51ad2e8
Fsysna
28b37d67a0ba8991fbae8ea2048f44ee06d8c3df823750e585ca0322df10ef14
Fsysna
4f83d00a482375e2fc4321fd82e0172b85013eac3a41cf1eec700d8e365bf9ce
Fsysna
7d45f54744ff5c0cee3b3053ce2173a115251862eeba050b429ea911f7c36296
Fsysna
e316a2df7796cac9a0f6dff3cfa3ae63083e6a7208e95e7458d2fcae9dbf3535
Fsysna
+ 435 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220224-hxm4nacbe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/08eea221-af80-48a0-9653-0928fc88fe16/
SH256 hash:
b277fe4578d356d7035df488ad4460e9013b422ebc82913e2960eaf0318e78df
MD5 hash:
e536fb4391add7fa628f1f13ea8f19f1
SHA1 hash:
8e6274341a8acd51d8598a53ec843b18d01d14da
Link:
https://www.unpac.me/results/08eea221-af80-48a0-9653-0928fc88fe16/
SH256 hash:
3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1
MD5 hash:
4ecc392d78b44320a9ba19b1495d5c52
SHA1 hash:
78a0f48e5573819b48faedf856c192f657e521dc
Link:
https://www.unpac.me/results/08eea221-af80-48a0-9653-0928fc88fe16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/1c85d701-655d-4b30-a2a8-9e6f391d16bd
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/244079/

Comments