MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FlyStudio


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810
SHA3-384 hash: 234fdfbf9df72caacda6f4da8864e3e65e21883d2ebd961cccecbd2808eeb2bf6d80880ca64d79b647ff3dcf005bfb2c
SHA1 hash: 9c95f860b6c09052596e1b2c7a9616056a47e7eb
MD5 hash: ea35ae90366c41d79d74adc6ae64ca81
humanhash: zebra-may-yankee-fanta
File name:3RјјКх.exe
Download: download sample
Signature Adware.FlyStudio
Create hunting rule
File size:3'911'680 bytes
First seen:2022-08-01 18:13:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3234862ee07e273287adca2556119b45 (1 x Adware.FlyStudio)
ssdeep 49152:bgOmJe/ivs741g84DAQ7oTZaqdwk0c05HGi2nFlIZVUzSn0V7:kJJLn1ghJ7oYqdwkLcHHwFqZVUzSn0t
Threatray 2'324 similar samples on MalwareBazaar
TLSH T150068D13F5A2C2F6F955007005AA93385F78A6751E32AB93E7A0DEF42D696F0C62331D
TrID 21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
18.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 3070f0e871d0c028 (4 x Adware.FlyStudio)
Reporter r3dbU7z
Tags:Adware.FlyStudio exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295666/
Detection(s):
PUA.Win.Packer.Upx-45
Create hunting rule

Win.Trojan.Flystudio-9943951-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28005/overview
Behaviour
MalwareBazaar
CursorPosition
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/62e818656336465f2a023684/reports/a198dfde-29ab-4bb6-b3ff-24d56e5c94ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bfd2594-a25a-4e61-a54e-5ae677f8ca2e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1044389
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 04:54:36 UTC
File Type:
PE (Exe)
Extracted files:
139
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mogyiditd3ne4kxznyzaz25tlsntyzqmst5kr52neoo2uhrnhaia._file
Verdict:
malicious
Similar samples:
20011215fe21d6a57a2a6af4b8788957d707bf965c1933573b0e3b71decdaff5
Adware.FlyStudio
2f5d5ebb1081dde3e9314ebbc61466f3686361d356f881533725d6fbf0002aa8
Adware.FlyStudio
41ccfe90282ef9f607a6abfcce0ff6af362970d454a568fe2d214dc4c3a7b17b
Adware.FlyStudio
485a5454645f5d90d1b3097336b08dcaa9d4b49db9738a2f953e81081002600d
Adware.FlyStudio
7c251123eb36d87a056ea6f68a795ba35595090e4f46b3e38e04a52bb9851cd2
Adware.FlyStudio
8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22
Adware.FlyStudio
94b85015bb3beb57e1810aec53712b8158fa10e3a970b0ee65484be34b3073cd
Adware.FlyStudio
c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b
Adware.FlyStudio
+ 2'314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
upx
Link:
https://tria.ge/reports/220801-wvbjqsfgb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810
MD5 hash:
ea35ae90366c41d79d74adc6ae64ca81
SHA1 hash:
9c95f860b6c09052596e1b2c7a9616056a47e7eb
Link:
https://www.unpac.me/results/df1387d9-8eb7-46b4-b4d3-f1d889621936/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.FlyStudio

Executable exe 638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295666/

Comments