MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663
SHA3-384 hash: 42721696fdfe1f3400cbc96d1063ea721e0c8e3a8ec2a7d8ad5757fc7bea1bfc7d8c8fb39765809e1c97a51a23005e2e
SHA1 hash: b9c0305e9f4147ae319f4f690deceb5fe23579fd
MD5 hash: 00d766fd0f7bcf3858aa2d7d3fd540b9
humanhash: mike-vegan-wyoming-thirteen
File name:FileZilla Pro 3.69.1 (x86).exe
Download: download sample
File size:24'123'617 bytes
First seen:2025-04-29 13:02:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 262f7b623746b414d0e9c48c1d61145e (2 x CoinMiner, 2 x HijackLoader, 1 x Spambot.Kelihos)
ssdeep 393216:q0Fxb8yuOgU3DUu4FHOFTeBtvp+pupMY4lWaMEWpP7njd/rFC+kdIaRH0+:/Fxb8yuOgTKFT6+puOYCwpTB/BCjma55
Threatray 92 similar samples on MalwareBazaar
TLSH T1CE37F1317A5EC43AE66E05B05A2D9AAF912CAD620B7144C7B3DCBC1B26744C35332F67
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter aachum
Tags:exe


Avatar
iamaachum
https://getintoway.com/filezilla-pro/ => https://www.mediafire.com/file/5kbn1me5uwaax8k/FileZilla_Pro_3.69.1_(x86)_(x64).tar/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FileZilla Pro 3.69.1 (x86).exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 13:14:43 UTC
Tags:
advancedinstaller phishing
Link:
https://app.any.run/tasks/c5f98cf7-c486-4fa5-96ef-fe463a56472b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5006/
Detection(s):
SecuriteInfo.com.Variant.Zusy.588741.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810d265c8b2e86d0ac4672a
Tags:
dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Moving a recently created file
Replacing files
Enabling autorun with the shell\open\command registry branches
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd evasive expand fingerprint installer lolbin microsoft_visual_cc msiexec overlay overlay packed packed packer_detected remote runonce stealer
Link:
https://www.filescan.io/uploads/6810ce12218c4a98ade7562b/reports/6e500296-74d7-4f5e-995c-c30c158e494e/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.phis
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1677332
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Creates files in the recycle bin to hide itself
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677332 Sample: FileZilla Pro 3.69.1 (x86).exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 78 122 stats-1.crabdance.com 2->122 124 pki-goog.l.google.com 2->124 126 4 other IPs or domains 2->126 152 Antivirus detection for URL or domain 2->152 154 Multi AV Scanner detection for dropped file 2->154 156 Multi AV Scanner detection for submitted file 2->156 158 9 other signatures 2->158 11 FileZilla Pro 3.69.1 (x86).exe 1 58 2->11         started        14 msiexec.exe 22 37 2->14         started        16 CanReuseTransform.exe 2->16         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 98 C:\Users\user\AppData\Local\...\shiA14F.tmp, PE32+ 11->98 dropped 100 C:\Users\user\AppData\Local\...\preDF4A.tmp, PE32 11->100 dropped 112 8 other malicious files 11->112 dropped 22 s.exe 47 1007 11->22         started        26 cmd.exe 11->26         started        28 cmd.exe 11->28         started        30 msiexec.exe 11->30         started        102 C:\Windows\Installer\MSIE6DD.tmp, PE32 14->102 dropped 104 C:\Windows\Installer\MSIE4F7.tmp, PE32 14->104 dropped 106 C:\Windows\Installer\MSIE489.tmp, PE32 14->106 dropped 114 6 other malicious files 14->114 dropped 32 msiexec.exe 14->32         started        34 msiexec.exe 14->34         started        38 2 other processes 14->38 134 Multi AV Scanner detection for dropped file 16->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->136 138 Writes to foreign memory regions 16->138 146 3 other signatures 16->146 36 MSBuild.exe 16->36         started        128 127.0.0.1 unknown unknown 19->128 108 C:\Windows\System32\config\...\Value.exe, PE32+ 19->108 dropped 110 C:\Windows\System32\...\CanReuseTransform.exe, PE32+ 19->110 dropped 140 Antivirus detection for dropped file 19->140 142 Creates files in the system32 config directory 19->142 144 Loading BitLocker PowerShell Module 19->144 40 5 other processes 19->40 file6 signatures7 process8 file9 84 C:\Users\user\AppData\...\nsis_appid.dll, PE32 22->84 dropped 86 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 22->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 22->88 dropped 94 33 other malicious files 22->94 dropped 164 Creates an undocumented autostart registry key 22->164 42 regsvr32.exe 22->42         started        166 Uses cmd line tools excessively to alter registry or file data 26->166 44 conhost.exe 26->44         started        46 attrib.exe 26->46         started        48 attrib.exe 26->48         started        59 2 other processes 26->59 50 conhost.exe 28->50         started        52 attrib.exe 28->52         started        61 3 other processes 28->61 90 C:\Windows\SystemTemp\scrE781.ps1, Unicode 32->90 dropped 92 C:\Windows\SystemTemp\pssE793.ps1, Unicode 32->92 dropped 54 powershell.exe 32->54         started        168 Bypasses PowerShell execution policy 34->168 170 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->170 signatures10 process11 dnsIp12 130 loadingfreelofhr.net 185.208.156.66, 443, 49688, 49689 SIMPLECARRIERCH Switzerland 54->130 96 C:\Users\user\AppData\...\VC_redist.x64.exe, PE32 54->96 dropped 172 Powershell drops PE file 54->172 63 VC_redist.x64.exe 54->63         started        67 conhost.exe 54->67         started        file13 signatures14 process15 file16 116 C:\Users\user\AppData\Local\Temp\...\info.exe, PE32+ 63->116 dropped 118 C:\Users\user\...\dotNetFx46_Full_setup.exe, PE32+ 63->118 dropped 120 C:\Users\user\AppData\...\VC_redist.x86.exe, PE32+ 63->120 dropped 148 Multi AV Scanner detection for dropped file 63->148 150 Creates files in the recycle bin to hide itself 63->150 69 VC_redist.x86.exe 63->69         started        73 dotNetFx46_Full_setup.exe 63->73         started        75 info.exe 63->75         started        signatures17 process18 dnsIp19 80 C:\Users\user\AppData\Roaming\...\Value.exe, PE32+ 69->80 dropped 160 Multi AV Scanner detection for dropped file 69->160 162 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->162 82 C:\Users\user\...\CanReuseTransform.exe, PE32+ 73->82 dropped 132 stats-1.crabdance.com 82.115.223.212, 49695, 80 MIDNET-ASTK-TelecomRU Russian Federation 75->132 78 conhost.exe 75->78         started        file20 signatures21 process22
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663
Gathering data
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 13:03:15 UTC
File Type:
PE (Exe)
Extracted files:
930
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5abm4x545hilkq7gk4522ssgfcdmmsqja5lakcz6l7dsrwbkzrq._file
Verdict:
malicious
Label(s):
hacktool_uac_dll
Create hunting rule
Similar samples:
22a07506913757e97f80ad6b8f1a2a9ec44d18b0e31fdc7adb89e3506c1ffcda
39281bfb93651a5ae270190f2c2b1ee1dee23af5202534b4c346bc052b7b8fc0
39d6c2455cdf6ef9b7b96cbf6172d1a8d3b9d5719b79ff44d47697ec40f7e209
585ab6c1cdaa65c9d08decf4e1ab1cf9327f00e18d13e85e338268ccc3587aab
b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
e897c978dee5e96b41276425cbaba157b69e37709116a65133a3d5ac59b9312a
error
+ 82 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250429-qaesrs1rv2/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b8ea55c4-adac-4051-bc88-c5d3f918052d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663

(this sample)

Executable exe e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34

  
Link
https://tria.ge/250429-p62fzaywgx/behavioral1
  
Dropping
SHA256 e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5006/
  
Dropping
MD5 f31717eaaa7df978792a8a9344568fdd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments