MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fsysna


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9
SHA3-384 hash: 52462a78617abba470ce8f2a5f13f5850253c0df8391105c417b6b41a45c8fd466e21868467409559a0761fcb59b973d
SHA1 hash: aaeedda8d66c744d7cc2b61736ae9e8c8f3be242
MD5 hash: c3533bff8caa63835424700729aa35a2
humanhash: quiet-magazine-earth-echo
File name:c3533bff8caa63835424700729aa35a2
Download: download sample
Signature Fsysna
Create hunting rule
File size:500'832 bytes
First seen:2022-03-05 22:08:33 UTC
Last seen:2022-03-05 23:38:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c109afec2fbeb0f805be15b2feefb312 (1 x Fsysna)
ssdeep 6144:DsPtB71HSfTlJH9WXMgsY57o1ziBrxbEPdR2qcwKYV5wXNUcNQQKcsHcwLkbnfLu:sAMrlEPdR293pqFLHcwLkbJX+EJlvi
Threatray 87 similar samples on MalwareBazaar
TLSH T1C1B41282F3844DFBECB982F3886AF1741582B92E9471461D76D67E2B74F3263115BC0A
File icon (PE):PE icon
dhash icon f0e1a092969cf070 (1 x Fsysna)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/8869188aa10bb2230b54eeaf867d45700c10f5eb2d2cf20139187cac10372231/
Verdict:
Malicious activity
Analysis date:
2022-03-05 23:22:19 UTC
Tags:
evasion trojan socelars stealer rat redline loader opendir vidar ransomware stop
Link:
https://app.any.run/tasks/bc63f93b-df17-4de0-8a50-28ba979466ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247609/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Fsysna.4c.31468.23437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16cff8bd-eb45-4e6e-ad9d-bd948a4bb32b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/951299
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9/
Threat name:
Win32.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 16:57:15 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1fa8a0ee1f1621305a2e7063c6108d81a136f363d86e067ae9607b104059259b
Fsysna
264896379166e6b349462dd06613a2a71f47316815256eb71f57aa4f11d9980c
Fsysna
3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1
Fsysna
471edd7506612091e9f8ee99e718fe6a18cc705f109119e66cb9c2c5b400ba1f
Fsysna
71f2ca63111e328be5ab5d88978b8d41bd59735382cac9131500c079ef91358e
Fsysna
8a11790a57ada815e5fcb19b62fb18d2ae9f22a498f1a46b1677d3485b5c235c
Fsysna
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
Fsysna
aa18910412099ecf87968e2cf4b18088ecfe5311ace3a8f7b70612ce292063f7
Fsysna
ce07198dda417c585ac5ce50c7c5376e9e48ec025dd2b6d06a210c0a72ff2935
Fsysna
fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e
Fsysna
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220305-12sttabbap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Unpacked files
SH256 hash:
e2e992746896c1ce4201ccd2e6ec5b352e5dfd921d87638aa2bbe1af8d73ca8b
MD5 hash:
807c8107a8681e17e2c1402c1f77efa9
SHA1 hash:
3a3af869d3c34517b122732e498b22d30b3deb50
Link:
https://www.unpac.me/results/fb71d229-59d0-421b-911e-e9668d819529/
SH256 hash:
40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9
MD5 hash:
c3533bff8caa63835424700729aa35a2
SHA1 hash:
aaeedda8d66c744d7cc2b61736ae9e8c8f3be242
Link:
https://www.unpac.me/results/fb71d229-59d0-421b-911e-e9668d819529/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fsysna

Executable exe 40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2078801/
Cape
Cape
https://www.capesandbox.com/analysis/247609/

Comments


Avatar
zbet commented on 2022-03-05 22:08:35 UTC

url : hxxp://duoproc.xyz/6/data64_5.exe