MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FlyStudio


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e
SHA3-384 hash: ade7999955e7bf6274ad068dbb708aa8a66bafa2c8547970fcf7bf98495a8fda30949b4100d463aa3e741a066af0397a
SHA1 hash: 0162697ebdbcd195a36f2ea833d5a3b1adb0bd30
MD5 hash: c2de9c661cadcc41a5960d2657522e80
humanhash: kentucky-kitten-twenty-vegan
File name:c2de9c66_by_Libranalysis
Download: download sample
Signature Adware.FlyStudio
Create hunting rule
File size:2'696'614 bytes
First seen:2021-05-05 11:08:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a16a06cf586b598d76b4843b67cf2de (1 x Adware.FlyStudio)
ssdeep 24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6LZ:tl1vqjdPQRw/D4mizA0dizLrB51vA
Threatray 231 similar samples on MalwareBazaar
TLSH AAC5BF03F7D180B1D649267229F6573EAF78DB110A31C943DBE0EEBA6D316119B2760E
Reporter Libranalysis
Tags:Adware.FlyStudio


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150508/
Detection(s):
Win.Dropper.Tiggre-9845940-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Program Files directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Replacing executable files
Searching for the window
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Changing a file
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Replacing files
Deleting a recently created file
Connection attempt
Creating a file in the Windows subdirectories
Launching a process
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/711858
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in alternative data streams (ADS)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 16:20:15 UTC
AV detection:
40 of 48 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swdfx2hxmgknfu6dqubuaafnbcnzrqfhrzmc67s7svtbw6tehv7a._file
Verdict:
unknown
Similar samples:
24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca
Adware.FlyStudio
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
Adware.FlyStudio
3b2605e887208589a410d649709bcd4ea9950ab61b139483dfa66434b30cb7d4
Adware.FlyStudio
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
Adware.FlyStudio
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
Adware.FlyStudio
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
Adware.FlyStudio
873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3
Adware.FlyStudio
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
Adware.FlyStudio
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
Adware.FlyStudio
deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20
Adware.FlyStudio
+ 221 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-l79zdxjtjx/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
0340837e89e26699fae97c4f48efb358c459bc7c367f28979f3513f3fd2164a2
MD5 hash:
9cd9feaf1916f536c92e43a319bdb1d9
SHA1 hash:
ef371b98e0763a9569d5d30dda56a6d70a4b2c1a
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
41c5bdea2d57ebdabf9d478df43bdcc69c14939a3e36f444a5ab509730a5a5ea
MD5 hash:
8e47ef7ac795c1b84fffc2c0a222f66d
SHA1 hash:
9ad5365f527f7200c85c15b9e46c247c4976accb
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
0787f2a840b3bb5aa8ccfbb0a84ca1b2d4d8c2da0d3cdd7dab2bf017065dd158
MD5 hash:
d397a19805e685832912cab7e5461b64
SHA1 hash:
636b6ecc10a27ecf44985bde17dd1d3648f13c13
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
447d2d701b07a69e1c8934ffc2409366b66815e2af738b163392f4501705330e
MD5 hash:
a812044595d96c48600ab2e2451f7b2e
SHA1 hash:
5f9efa07ad838b7d4028915aab8619d4aeb10be0
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
a61200034dd25b474179b391af41f47e1a39ae91ed1c7017860ecde02bde5ff9
MD5 hash:
57fadd46a0193c35e95ac19d31d05086
SHA1 hash:
4809e9477e09c1fe3f37fa320d701dde7e3af39d
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
142b47e6e621f6b947196324aa8a7eabe3185276d3f51ef7afaf2e93d7623973
MD5 hash:
93114a86f0375382163422ac02d868e3
SHA1 hash:
2cd8f88fe95509ba9c66fef463811dc6c862ab21
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
SH256 hash:
95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e
MD5 hash:
c2de9c661cadcc41a5960d2657522e80
SHA1 hash:
0162697ebdbcd195a36f2ea833d5a3b1adb0bd30
Link:
https://www.unpac.me/results/dc14fd56-e5e0-4c21-be23-24e4cc5efcd5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150508/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 13:07:30 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0029] Cryptography Micro-objective::Cryptographic Hash
1) [C0019] Data Micro-objective::Check String
2) [C0026.001] Data Micro-objective::Base64::Encode Data
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [B0023] Execution::Install Additional Program
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0040] Process Micro-objective::Allocate Thread Local Storage
12) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
13) [C0017] Process Micro-objective::Create Process
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process