MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b8fd58c2935fdb8d5cdfcdb8e504b75fabbf68c7cf130d86cb912a790fdf7a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b8fd58c2935fdb8d5cdfcdb8e504b75fabbf68c7cf130d86cb912a790fdf7a0
SHA3-384 hash: d7a6144969e47e5cd1fef8b4210876d6efadc86e72aa0a4e0691b29f2c23a9ab1146a6d0a84f476153f0ac436ad1b427
SHA1 hash: 0bbb186b428b04e680e33ea9e47439d8f0f6dcb0
MD5 hash: e26d1457189b1be64d94fb19d3ef8420
humanhash: shade-three-hot-harry
File name:4b8fd58c2935fdb8d5cdfcdb8e504b75fabbf68c7cf130d86cb912a790fdf7a0.exe
Download: download sample
File size:8'936'600 bytes
First seen:2020-09-02 22:52:44 UTC
Last seen:2020-09-02 23:44:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (274 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep 196608:Za/oxYljYLtXNifuqUqCraAjdxqI669wg+hDfby2zmgt2dXmG:ZMrljYZ9BrVzz+Nu582dXp
Threatray 2 similar samples on MalwareBazaar
TLSH 719633423B00D3A7CFC572FB34397A908EA469B8E170D96D27D55C03B93967A5F0CA98
Reporter theDark3d
Tags:exe filezilla malicious

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54504/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a window
Reading critical registry keys
Searching for the window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/457928
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Creates an undocumented autostart registry key
Detected potential unwanted application
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 281353 Sample: DRNsSH3d59.exe Startdate: 03/09/2020 Architecture: WINDOWS Score: 66 82 cnx.conceptsheartranch.com 2->82 84 yesno.ns1.ff.avast.com 2->84 86 14 other IPs or domains 2->86 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Multi AV Scanner detection for submitted file 2->130 132 2 other signatures 2->132 11 DRNsSH3d59.exe 35 536 2->11         started        16 svchost.exe 2->16         started        18 svchost.exe 1 1 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 110 filezilla-project.org 49.12.121.47, 443, 49718, 49772 HETZNER-ASDE Germany 11->110 112 app.nitehe-nutete.com 143.204.201.68, 443, 49730, 49731 AMAZON-02US United States 11->112 116 5 other IPs or domains 11->116 74 C:\...\avastfreeantivirussetuponline.m.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\...\nsis_appid.dll, PE32 11->76 dropped 78 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 11->78 dropped 80 23 other files (none is malicious) 11->80 dropped 142 Creates an undocumented autostart registry key 11->142 22 avastfreeantivirussetuponline.m.exe 1 3 11->22         started        27 filezilla.exe 44 11->27         started        29 regsvr32.exe 5 11->29         started        144 Changes security center settings (notifications, updates, antivirus, firewall) 16->144 114 127.0.0.1 unknown unknown 18->114 file6 signatures7 process8 dnsIp9 94 analytics.ns1.ff.avast.com 5.62.40.214, 443, 49745, 49748 AVAST-AS-DCCZ United Kingdom 22->94 96 v7event.stats.avast.com 22->96 102 2 other IPs or domains 22->102 62 avast_free_antivir...etup_online_x64.exe, PE32+ 22->62 dropped 136 Query firmware table information (likely to detect VMs) 22->136 138 Contains functionality to infect the boot sector 22->138 31 avast_free_antivirus_setup_online_x64.exe 2 35 22->31         started        98 dl2.cdn.filezilla-project.org 78.46.136.26, 443, 49774 HETZNER-ASDE Germany 27->98 100 update.filezilla-project.org 27->100 64 C:\Users\...\fzupdate_8989de93d9fc9273.tmp, PE32 27->64 dropped file10 signatures11 process12 dnsIp13 118 v7event.stats.avast.com 31->118 120 analytics.ns1.ff.avast.com 31->120 122 analytics.ff.avast.com 31->122 48 C:\Windows\Temp\...\Instup.exe, PE32+ 31->48 dropped 50 C:\Windows\Temp\...\Instup.dll, PE32+ 31->50 dropped 52 C:\Windows\Temp\...\HTMLayout.dll, PE32+ 31->52 dropped 124 Query firmware table information (likely to detect VMs) 31->124 36 Instup.exe 31->36         started        file14 signatures15 process16 dnsIp17 88 shepherd.ns1.ff.avast.com 77.234.44.102, 443, 49752, 49778 AVAST-AS-DCCZ Czech Republic 36->88 90 t1024579.iavs9x.u.avast.com 36->90 92 6 other IPs or domains 36->92 54 C:\Windows\Temp\...\uat_6996.dll, PE32+ 36->54 dropped 56 C:\Windows\Temp\...\setgui_x64_ais-979.vpx, PE32+ 36->56 dropped 58 C:\Windows\Temp\...\instup_x64_ais-979.vpx, PE32+ 36->58 dropped 60 8 other files (none is malicious) 36->60 dropped 134 Query firmware table information (likely to detect VMs) 36->134 41 instup.exe 36->41         started        file18 signatures19 process20 dnsIp21 104 alpha-ld-stack.ns1.ff.avast.com 5.45.58.61, 443, 49779 AVAST-AS-DCCZ Czech Republic 41->104 106 alpha-xqs.ns1.ff.avast.com 5.62.48.222, 443, 49780 AVAST-AS-DCCZ United Kingdom 41->106 108 19 other IPs or domains 41->108 66 C:\Windows\Temp\...\uat_5292.dll, PE32+ 41->66 dropped 68 C:\Program Files\...\aswde11604c20c07459.tmp, PE32 41->68 dropped 70 C:\Program Files\...\aswb77920cf77cf7644.tmp, PE32 41->70 dropped 72 12 other files (none is malicious) 41->72 dropped 140 Query firmware table information (likely to detect VMs) 41->140 46 sbr.exe 41->46         started        file22 signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b8fd58c2935fdb8d5cdfcdb8e504b75fabbf68c7cf130d86cb912a790fdf7a0/
Threat name:
Win32.PUA.FusionCore
Create hunting rule
Status:
Malicious
First seen:
2019-10-12 02:55:50 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
2c08eadd3382400c96eb0d442d555053aa80eb467f328eb12bc97046ca3a6603
c5aa2a24607b845bd3fa1f856a072061ef62831a5dc138eba9e8199c3cc10696
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200902-t31g9zldxa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Loads dropped DLL
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Riskware
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/4b8fd58c2935fdb8d5cdfcdb8e504b75fabbf68c7cf130d86cb912a790fdf7a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54504/

Comments